We are thrilled to announce 📢 Kosli is now SOC 2 Type 2 compliant - Read more
New Feature: Kosli Trails is liveCreate comprehensive audit trails for any DevOps activity - Read more
Kosli devops change management continuous compliance

Introducing Continuous Compliance with Kosli

Mike Long
Author Mike Long
Published February 22, 2021 in technology
clock icon 4 min read

In this article we introduce new technology that allows you to automate the change and release compliance in a Secure Software Development Lifecycle. It’s called Kosli, the DevOps Change Management tool for teams in regulated industries.

Delivering software in regulated industries

First, let’s look at the problem we’re solving. The modern world depends on financial transactions, air traffic control, insulin pumps and car braking systems. When technology becomes critical to our lives and our economies there is increased demand from customers and regulatory bodies to control these risks.

To meet these requirements, organizations must define software development processes that ensure that safety and security risks are managed in a professional and repeatable manner.

Having defined and implemented a process, it is critical to document proof that the process is being followed. It is this evidence that auditors inspect to ensure that the organization is compliant with the regulations.

Software is eating the world

Regulated software development processes require many activities like version control practices, code review, security scanning and testing. Typically, these activities are spread over several software systems.

This makes it hard to know if the compliance process is being followed and to know what to do if/when compliance steps are skipped. Eventually, this creates a headache when it’s time for release and audit.

software delivery process

As software takes an increasingly central role in the success of all types of businesses, the demand to deliver more frequently increases the pressure on innovation cycle times.

For regulated industries, the challenge is overcoming traditional change management processes, like ITSM ticketing systems and CAB meetings, that are time-consuming and do little to mitigate risks.

Accelerating with DevOps

Through a combination of culture, automation, lean measurement, and sharing changes, DevOps enables today’s best performing technology organizations. However, meeting compliance requirements with DevOps demands a new approach.

Most regulations are written for general guidance and don’t specify an exact recipe to follow. In order to comply, organizations have traditionally implemented manual documentation and gate-checks, with every software release documenting the proof that the agreed processes have been followed.

Kosli’s DevOps Change Management tool gives you DevOps freedom, compliance AND speed, and 4D observability over your environments and pipelines, enabling you to achieve compliance you can trust without slowing down.

DevOps Change Management

Kosli records your software process automatically. It provides an API for recording various compliance events such as build, code review, security scan, and release directly from your DevOps pipelines. Implementing this central system of record provides insight across the organization, giving development, operations, security and risk a shared view of compliance.

An important consideration when choosing how to store this data is how it will be used. When the goal is to prove compliance with a software process, it is essential that the data is stored using a provable, secure, tamper-proof method.

Storing information in a way that allows for untraceable modification is pointless. This is why Kosli is based on artifact binary provenance secured in an append-only datastore. It allows new versions of data to be added without losing the history. It is only with this non-modification guarantee that compliance can be proven.

DevOps Compliance Journal
Automated Provable Audit Trail
API-Based Secure System of Records
Silo-breaking Process Aware Append-only

Change Control

The first step in automating your software process compliance is to start recording the audit trail in your DevOps pipeline. The DevOps pipeline is the best place to do this because it is the heartbeat of software change.

By recording the relevant change control data in your DevOps pipeline you can query it for change control. How this is implemented depends on your process, but it could be a pre-merge control, or an artifact promotion control. However you approach this, the end result is the same: all changes in your software are automatically compliant with your process.

change control process

Now that you have your software change process under control, the next step is to manage the release process.

Release Control

Most software releases are made up of a collection of individual changes. The challenge this imposes on regulated software teams is proving that all of the changes included in a release have followed process.

release control process

Kosli provides aggregate and composite views of change. This enables all stakeholders to automatically share a common view of compliance across development, test, security, internal and external audit.

Continuous Compliance with Kosli

Delivering at pace within a safe, secure, and repeatable process puts extra demands on regulated industries. Kosli’s DevOps Change Management solves the compliance bottleneck by producing a cryptographically secure, version-aware record that fits into your existing ways of working. Ultimately, it means regulated teams can deploy at the speed of DevOps in a secure and risk-free way.

Stay in the loop with the Kosli newsletter

Get the latest updates, tutorials, news and more, delivered right to your inbox
Kosli is committed to protecting and respecting your privacy. By submitting this newsletter request, I consent to Kosli sending me marketing communications via email. I may opt out at any time. For information about our privacy practices, please visit Kosli's privacy policy.
Kosli team reading the newsletter

Got a question about Kosli?

We’re here to help, our customers range from larges fintechs, medtechs and regulated business all looking to streamline their DevOps audit trails

Contact us
Developers using Kosli