Dear Auditor: Let’s Increase Application Release Velocity Together

Back in April of this year, I had the honor of participating in the DevOps Enterprise Forum, hosted by Gene Kim and the IT Revolution team. The three-day event in Portland, Oregon gathered many of the world’s DevOps thought leaders to address obstacles impacting the DevOps movement and develop guidance to assist the DevOps community at large.

One of the biggest challenges of DevOps, especially in heavily regulated industries, is figuring out how to best integrate auditing best practices and guidelines into application development delivery processes -- without compromising velocity or quality. To address this challenge head on, I joined a team of respected DevOps industry individuals at the event, including Ben Grinnell, James Wickett, Jennifer Brady, Sam Guckenheimer, Scott Nasello, and Tapabra Pal. The team’s goal was to work with the Audit community to determine the best methods for addressing the audit-specific challenges associated with software releases and to create some initial guidance for the DevOps community to follow and build on. To extend an olive branch to the Audit community, the team penned an open letter titled, “Love Letter to the Auditor.” Supported by open source guidance, the letter is ultimately intended to help the DevOps community understand the controls they need to put in place and the risks they need to address in order to develop effective code.The letter includes a link to an initial list of audit concerns documented in a DevOps Risks and Controls Matrix. The matrix provides details around each control and the team’s best practices and evidences that have been collected to support the control. The matrix is intended to be collaborative and to be expanded over time by the community. More context surrounding the letter is available in our recently recorded and now on-demand webinar, “On the Road to Shangri-La: Scaling CD from Teams to the Enterprise.” In this session Gene Kim and I discuss the letter (which occurs around the 45-minute mark). Finally, for more information about the project, visit dearauditor.org.Related Resources:

• Improve Compliance with Enterprise DevOps
• Case Study: NJM Insurance Group
• Continuous Delivery for Financial Services