Virtualization Technology News and Information
Transform Your Audit Program for Continuous Assurance

By Francis Ofungwu, Global Field CISO at GitLab

As organizations increasingly adopt DevSecOps tools and methodologies, auditors often find themselves left behind in the process, as traditional controls for compliance and regulation can be inefficient and difficult to scale at the speed of modern workflows. Organizations must understand the symbiotic relationship between developers and auditors. A recent survey from GitLab found that over one-third of respondents (37%) included security and governance as part of their DevSecOps implementation-but if auditors are not educated on modern DevSecOps processes, they may audit in isolation, leading to shared frustration when engineering teams cannot produce the requested audit artifacts.

A traditional, checklist-based approach for point-in-time evidence collection does not work for the modern development life cycle due to the rapid rate of change. By proactively collaborating on continuous assurance processes, organizations can reduce time spent on compliance controls, and adopt an always-on, continuous approach to effectively and efficiently manage risk. 

Let's walk through five critical steps that organizations can take to build an audit program that aligns with the speed and tactics of DevSecOps. 

Use Established Guidelines for Baseline Frameworks 

One approach is to find a common set of controls that address a significant portion of compliance mandates within an organization. For example, the NIST Secure Software Development Framework (SSDF) can serve as a baseline, while enabling organizations to customize certain requirements to meet specific vertical or geographic requirements.

Meet Developers Where They Are

In an everything-as-code world, audit and compliance controls have to follow suit. The cloud, containers, code repositories, CI/CD, and other components of DevSecOps workflows can actually make it easier to audit, because the tenets of risk and governance can be easily automated. For example, DevSecOps workflows allow you to implement strong separation of duty and change controls by programmatically enforcing mandatory approval rules before changes can be approved. 

Use The CI/CD Pipeline for Governance Orchestration

As organizations mature in DevSecOps practices, the CI/CD pipeline becomes the orchestrator of all activities from ideation to production. As a result, auditors can accelerate their review lifecycle by simply inspecting each activity enforced at the pipeline level. For example, automated security testing can be enforced as part of the production pipeline, and guardrails can be applied to prevent both authorized and unauthorized personas from bypassing this step. If an audit can evidence that all in-scope applications and environments are a result of the approved pipeline, this accelerates the validation process to ensure that the correct security and compliance steps were taken in development. 

Cultural Changes and Shared Responsibility

Cultural change is vital to fostering shared responsibility, accountability, and adherence to compliance standards throughout the development process. The effort to build an auditing program should not be restricted to developers, security practitioners, and in-house auditors - it starts with organizational leaders enabling a cultural focus on compliance, where all team members take ownership of their impact on the software development lifecycle.

Preparation and Ongoing Maintenance 

A memorandum of understanding (MOU) or agreement should be established months before an audit occurs, defining how audit standards and controls will be met using modern DevSecOps principles. To adhere to compliance requirements, organizations must ensure that the governance framework is reflected in the software development processes, rather than a separate process that must be designed, implemented, and maintained independently. 

Continuous assurance should ultimately be considered a byproduct of good practices designed early in the process, rather than something developers spend separate cycles designing, implementing and maintaining. As cyber threats increase and organizations face pressure to remain compliant and secure, an audit program is not optional. Leadership buy-in, organization commitment, and collaboration between security, development, and auditing teams are crucial to the success of implementing an effective audit program and developing a strong compliance framework.  



francis ofungwu 

Francis Ofungwu is the Global Field CISO at GitLab and leads the organization's software security field practice. Francis has two decades of experience in cybersecurity and compliance management. His expertise includes strategic planning, leading cross-functional teams, application security program development, digital privacy, and incident management. Prior to joining GitLab, Francis led the design and execution of cybersecurity programs for several large enterprises in various industries, and has served multiple roles where he was accountable for the management, engineering, and operations for cybersecurity functions in the U.S., EMEA, and APAC. Francis presents regularly to executive management, boards and audit committees on the importance and success models of cybersecurity and privacy.

Published Monday, April 15, 2024 1:02 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2024>