By Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (syndicated at Security Boulevard & YouTube)
In this show, Deb interviews two innovative technologists driving the DevOps Automated Governance movement. They’re both authors, prolific writers, speakers, and contributors to reference architectures and other materials supporting Automated DevOps Governance.
Bill Bensing, whose mantra is “I build things that build things,” also hosts his own show, “CTRLPhreaks”, focused on closing the gap between technology and governance professionals. He has co-authored “Investments Unlimited,” the Automated Governance Book for IT Revolution, told in story format like the best-selling Phoenix Project about a fictional company that modernized its IT infrastructure and must bring it into compliance by applying audit controls into the software delivery lifecycle.
John Willis, commonly referred to as the Godfather of DevOps, also co-authored Investments Unlimited and the well-known “DevOps Handbook”. He currently focuses on everything Deming, the famous engineer recognized in the field of quality management, with his latest book “Deming’s Journey to Profound Knowledge.”
Together, and with the help of other experts, Bensing and Willis are on a mission to bridge the gap between audit, compliance, IT, and DevOps through automation while reducing the “toil” for developers and auditors.
“Audit is in neverland. It’s not really in ITsec, not really in DevOps, and not in DevSecOps really. So, we created a paper that we thought was revolutionary,” says Willis.
Yet, surprisingly, their initial DevOps Automated Governance Reference Architecture, didn’t catch on like they thought it would. But once the expanded the framework and published it in story form in 2022, development teams and auditors began their pivot toward automated compliance, Willis adds.
The key to automation is in making the architecture useful to auditors that don’t know a thing about software, while reducing toil for developers, adds Bensing. “How do we change the way people work under this increased scale and scope of a growing number of compliance issues?” And how, he asks, do you do so without humans having to sign off at every new build stage in today’s fast-paced DevOps environments?
Ultimately, automation tied to irrefutable, auditable attestations will protect the developers and auditors from liability, they contend, while also improving provenance and pedigree of data tied to Software Bills of Materials.
Watch the video and learn more here.
Resources:
