With DevOps practices on the rise, assurance over the controls is creating headaches for internal audit and risk functions. Cristiana Mirosanu and Ian Greaves present an assurance case study and six practical steps to enhance your assurance practices.
Contents

DevOps is a combination of tools, practices and cultural philosophies around software development and operations that increases an organisation's ability to deliver applications and technology services at a higher speed than traditional software development models. Internal audit and risk functions have a pivotal role to play, not just in change strategy and overall governance, but also in identifying risks and opportunities in improving security throughout the entire software development life cycle.

Growth of DevOps in large organisations

The adoption of DevOps practices is increasing among large corporate organisations, especially in those that internally develop software for business or customer-facing applications. According to Gartner, the adoption of DevOps within organisations has grown from 10% of companies using this model in 2020, to 40% by 2023. By breaking down silos and fostering a culture of collaboration, DevOps is intended to help organisations achieve faster time-to-market, improved quality, and enhanced customer satisfaction. This shift has been accelerated by the increasing use of public cloud infrastructure, with public cloud providers offering a plethora of tools to help organisations leverage DevOps practices.

Adopting such practices can be challenging, though. Gartner also estimated that in 2022, ‘75% of DevOps initiatives would fail to meet expectations due to issues around organisational learning and change’. Other risks may be exacerbated, too: around data security, misalignment of software with business or customer requirements, insufficient documentation, and difficulty in meeting compliance or regulatory requirements. Organisations are addressing the security risk around DevOps by implementing security activities and governance at multiple steps in the DevOps process – a methodology which has been named DevSecOps.Illustration depicting the multiple steps in the DevOps process

Traditional audit methods may not apply

While DevOps brings numerous benefits, it also poses challenges for internal auditors. These arise due to the rapid pace of development, increased automation, and changes in the traditional software delivery life cycle. This leads to certain traditional audit methods becoming in some places incompatible with the pace of change led through DevOps and may lead to less effective assurance.

We have identified several key areas of challenge:

Lack of documentation

DevOps engineers heavily rely on automated processes, configuration management and infrastructure-as-code. In our experience, version controls over the organisation’s software development methodology often present weaknesses. These conditions can lead to a lack of traditional documentation, such as logs or activity reports, making it difficult for auditors to trace changes, assess controls and ensure compliance.

Frequent and rapid releases

DevOps promotes frequent and rapid software releases, sometimes multiple times a day. This creates a dynamic environment where controls and risks can change rapidly, making it challenging for auditors to keep up and assess the effectiveness of controls.

Distributed and decentralised infrastructure

DevOps is enabled by technology advancements, such as cloud computing, containerisation, and micro-services, resulting in a distributed and decentralised infrastructure. Application programming interfaces (APIs) are becoming more critical for organisations, as these connect various technology applications and services. Auditors must understand the complexities of these architectures to identify and assess risks accurately.

Automation and self-service

DevOps heavily relies on automation and self-service capabilities. While automation improves efficiency, this helps reduce risk only if the configurations are made and maintained in line with good practice guidelines. Auditors need to adapt their approach to assess automated processes.

Collaboration and roles

Segregation may not be maintained between developers and implementers due to more frequent, iterative changes and multi-skilled roles within DevSecOps teams. Developers may also have elevated access to directly change production environments. Auditors need to assess whether automated guardrails are in place to require secondary approvals before changes are implemented.

Read more about technology risk trends

Case study: how we adapted our assurance for DevOps

Over the last few years, we have developed an audit framework to help organisations gain assurance over their use of DevOps and DevSecOps methodologies. This has been refined and put to practice with large organisations, tailoring our approach based on the particularities of each organisation’s DevOps adoption and maturity levels. The framework is aligned with the key stages in the DevOps process and encourages assessment of security at every step in the DevOps practice. We used guidance from the Cloud Security Alliance, and the Well-Architected Frameworks of the major cloud vendors, such as Amazon Web Services, Microsoft Azure, and Google Cloud.

We performed an audit of a manufacturing client’s DevSecOps processes, risks, and controls. Some of the key risks we considered included:

  • whether organisational constraints prevent reaching acceptable maturity of DevOps practices and slow realisation of benefits
  • low maturity of continuous deployment practices leading to delayed testing, rework, or poor releases
  • lack of transparency and governance over existing DevOps practices leading to incidents and regulatory non-compliance.

There was a lack of strategic alignment between teams, which led to solutions developed not generating the expected value for the business. Through collaboration and early involvement, the auditors could identify in a timely manner areas where DevOps adoption was not meeting its intended objectives.

Security testing required enhancements to ensure the use of open-source software would not introduce critical vulnerabilities to the main codebase. The auditors also leveraged the existing tools and automations to better quantify and report on the business impact and risks associated with technology services.

The existing DevOps operating and support models could be expanded to realise the intended benefits. The auditors are continuously learning and upskilling through industry events and close collaboration with DevSecOps specialists to advise management on DevOps good practice guidelines.

Six steps to enhance your assurance practices

We also found ways to flip the DevOps challenges into opportunities for better, more robust assurance. There are several ways to leverage the innovations in DevOps and DevSecOps to improve the assurance process:

1 Increase collaboration

Encourage collaboration and communication between auditors, engineers and other teams in IT. Auditors should leverage the knowledge of specialists in the business to guide assessments of risk and whether appropriate mitigations are in place.

2 Maturity assessments

Perform a review of the maturity of DevOps and DevSecOps practices across the organisation, identifying strengths and weaknesses, with a view to adapting assurance practices and procedures. Auditors can also leverage the results of such a review when considering whether suggested audit actions could be feasibly implemented enterprise wide.

3 DevOps audit procedures

Taking learnings from how the technology function has adapted legacy software development practices to DevOps, tailor audit procedures to fit the DevOps context. Auditors should ensure that controls are designed and tested to accommodate the characteristics of DevOps environments.

4 Embedding security considerations

The DevOps industry is now ‘shifting left’ on security in a deliberate effort to embed security activities earlier in the process. Auditors should assess whether security controls are considered throughout the DevOps cycle, from requirements definition, access to tooling and the source code, to testing and handover to security teams for ongoing monitoring.

5 Continuous monitoring and reporting

Leveraging the existing automated monitoring tools, work with DevOps engineers to continuously assess controls, detect anomalies, and generate real-time reports. Auditors should use these to stay informed and provide timely insights to management.

6 Iterative audits

Regularly review and refine audit procedures based on feedback from the development and operations. As DevOps practices encourage iterative work patterns, auditors should also be prepared to update their scopes and testing in a similarly iterative manner.

DevOps practices are here to stay

DevOps can be used by organisations to drive innovation and a faster pace of software development and releases to meet business and customer needs. As such, this methodology is here to stay, and we can expect it to be adopted a lot more widely, especially across organisations that maintain their own software.

Audit and risk functions should be aware of the challenges this poses, and gaining assurance over DevSecOps controls is now a key concern. Addressing issues arising from DevOps adoption can also bring the potential for organisations to flip these challenges and create opportunities for better, more robust assurance in a dynamic environment.

For more insight and guidance, get in touch with Cristiana Mirosanu.