https://www.kosli.com/blog/ Recent content in Blog | Kosli on Kosli - Make Friends with Change Hugo -- gohugo.io en © Kosli 2026 https://www.kosli.com/blog/introducing_code_repositories_in_kosli/ Mon, 13 Apr 2026 08:32:00 +0000 https://www.kosli.com/blog/introducing_code_repositories_in_kosli/ Kosli gives your organization a complete picture of software delivery - every build, scan, deployment, and compliance event tracked. Until now that picture was most useful to the people managing governance. However, developers shipping code had to ask someone else what versions of their code were running, how long it was taking to get to production, or what their deployment frequency was. Repositories change that. The same data that powers your compliance layer now gives development teams a view organized around the questions they actually ask. https://www.kosli.com/blog/kosli_and_adaptavist_partner_to_automate_governance_for_ai_driven_software_delivery_at_enterprise_scale/ Tue, 07 Apr 2026 15:07:30 +0000 https://www.kosli.com/blog/kosli_and_adaptavist_partner_to_automate_governance_for_ai_driven_software_delivery_at_enterprise_scale/ Today, Kosli and Adaptavist announce a strategic partnership to help regulated enterprises automate governance for AI driven software delivery - making it automated, continuous, and evidence-driven rather than a manual checkpoint that sits apart from DevOps and CI/CD. Adaptavist brings deep enterprise DevOps transformation expertise: assessment and strategy, DevSecOps integration, developer experience, and implementation across Atlassian, GitLab, and AWS. They work with some of the world’s largest organisations to align people, processes, and toolchains for faster, safer software delivery. https://www.kosli.com/blog/introducing_kosli_evaluate/ Wed, 01 Apr 2026 12:00:00 +0000 https://www.kosli.com/blog/introducing_kosli_evaluate/ If you’re evaluating compliance controls against your Kosli trail data today, there’s a good chance you’ve written some glue code to make it work. A script that pulls trail data from the API. Another that downloads attestations one by one. Something that mangles the JSON together into a shape that your chosen compliance engine can evaluate. And then that engine itself, whether it’s OPA, a custom Python script, or something else, installed and configured in your pipeline. https://www.kosli.com/blog/governing_ai-generated_code_a_hands-on_experiment_with_entire_and_kosli/ Fri, 27 Feb 2026 12:12:55 +0000 https://www.kosli.com/blog/governing_ai-generated_code_a_hands-on_experiment_with_entire_and_kosli/ Can you create an audit trail for what your AI agent actually did, and enforce rules about what it was allowed to do? Here’s what I found after spending a session wiring the two tools together. The Problem Nobody Has Solved Yet AI coding assistants have crossed a threshold. Developers aren’t just using them to autocomplete a line or explain a stack trace. They’re delegating whole features, refactors, and infrastructure changes to agents that run dozens of tool calls autonomously before you even see the diff. https://www.kosli.com/blog/a_technical_guide_to_controls_engineering/ Mon, 16 Feb 2026 15:00:46 +0000 https://www.kosli.com/blog/a_technical_guide_to_controls_engineering/ Why Software Delivery Governance Matters The modern world runs on mission-critical software. It moves our money, drives our cars, diagnoses our illnesses, and fundamentally improves our lives. But, organizations building this critical software face a paradox: they need to move fast to stay competitive, but they also need rigorous governance to manage risk. This has created a lot of tension in regulated industries. Engineering teams have spent over a decade investing in DevOps and cloud technologies, automating their way to multiple deployments per day. https://www.kosli.com/blog/environment_support_in_terraform_provider_for_kosli_-_v0-2-0/ Fri, 13 Feb 2026 08:56:29 +0000 https://www.kosli.com/blog/environment_support_in_terraform_provider_for_kosli_-_v0-2-0/ We’re excited to announce support of physical environments in the Terraform Provider for Kosli! What’s Included Environment Management: Full lifecycle support for creating, updating, and managing physical environments types: K8S, ECS, S3, docker, server, and lambda. Manage legacy environments as IaC: Import your existing physical environments to have Terraform manage them. Example Here’s a simple example on how you can provision a Kubernetes environment using Terraform: main.tf terraform { required_providers { kosli = { source = "kosli-dev/kosli" version = "~> 0. https://www.kosli.com/blog/terraform_provider_for_kosli_-_v0-1-0/ Wed, 11 Feb 2026 09:08:00 +0000 https://www.kosli.com/blog/terraform_provider_for_kosli_-_v0-1-0/ We’re excited to announce the very first release of the official Terraform Provider for Kosli. This is only the start of the journey for managing Kosli resources at scale! Why This Matters To You Infrastructure as Code => Compliance as Infrastructure Now you can manage your Kosli custom attestation types the same way you manage your infrastructure: versioned, reviewable and reproducible. Avoid click-ops in the UI or home-made scripts using the CLI and API. https://www.kosli.com/blog/kosli_and_team_topologies_-_a_strategic_partnership_for_sdlc_governance/ Tue, 03 Feb 2026 14:42:12 +0000 https://www.kosli.com/blog/kosli_and_team_topologies_-_a_strategic_partnership_for_sdlc_governance/ We’re delighted to announce a strategic partnership between Kosli and TeamTopologies - a collaboration that brings together SDLC Governance automation with the world’s leading framework for organizing business and technology for fast flow of value. This partnership is the formalization of 10 years of collaboration between Mike Long and Matthew Skelton, working on various initiatives to promote the delivery of business value through innovative approaches to optimizing how we organize teams and technology. https://www.kosli.com/blog/designing_an_automated_sdlc_control/ Wed, 28 Jan 2026 12:01:11 +0000 https://www.kosli.com/blog/designing_an_automated_sdlc_control/ For anyone shipping software in regulated industries, the word “control” gets thrown around all over. Compliance frameworks demand controls, auditors verify controls are used, engineering teams implement controls, and there are even Control Owners. But what exactly is a control? And more importantly, how do we design controls that actually serve their intended purpose while enabling rather than hindering delivery velocity? Here at Kosli, I’ve spent a lot of time with enterprises understanding their complex compliance requirements. https://www.kosli.com/blog/evidence_not_screenshots-_how_teams_stay_always_audit-ready_in_servicenow/ Tue, 20 Jan 2026 14:17:55 +0000 https://www.kosli.com/blog/evidence_not_screenshots-_how_teams_stay_always_audit-ready_in_servicenow/ In regulated environments, slow change is often blamed on process. Too many approvals. Too much governance. Too much red tape. But in reality, most delays are not caused by regulation itself. They are caused by missing, fragmented, or untrusted evidence. Screenshots pasted into tickets. Proof assembled weeks later. Approvals stalled because no one can confidently say whether a change actually meets policy. When evidence is an afterthought, compliance turns into chaos. https://www.kosli.com/blog/servicenow_without_the_ticket_hell/ Tue, 20 Jan 2026 14:00:28 +0000 https://www.kosli.com/blog/servicenow_without_the_ticket_hell/ How Continuous Evidence Fixes Approval Bottlenecks ServiceNow is the system of record for change and approvals in most regulated enterprises. And yet, for many teams, it has become the place where delivery slows to a crawl. Not because ServiceNow is broken. But because the evidence model underneath it is. Developers ship fast through modern CI/CD pipelines, automated tests, and security scans, only to hit a wall when changes reach approval. https://www.kosli.com/blog/faster_code_slower_delivery_the_agentic_coding_paradox_in_regulated_enterprises/ Tue, 16 Dec 2025 22:16:27 +0000 https://www.kosli.com/blog/faster_code_slower_delivery_the_agentic_coding_paradox_in_regulated_enterprises/ Imagine for a moment that agentic coding tools really do deliver on their promise. Code is written faster, tests are generated automatically, and refactors that once took days now take minutes. On paper, software delivery should accelerate dramatically. Now imagine you work in a regulated enterprise. The code is ready, but production is still days or weeks away. There are forms to complete, screenshots to gather, evidence to assemble, tickets to update, change records to submit, CABs to attend, and people to wait for. https://www.kosli.com/blog/the_last_mile_-_why_banks_must_automate_trust_to_gain_velocity/ Tue, 09 Dec 2025 09:33:55 +0000 https://www.kosli.com/blog/the_last_mile_-_why_banks_must_automate_trust_to_gain_velocity/ The financial service industry has spent years modernising their software delivery pipelines. Build and test cycles are fast, infrastructure is automated, and engineering capability is no longer the bottleneck. The slowdown now occurs at the end of the process: the last mile, where a change must prove it is safe before it can enter production. This final step is governed by a trust layer with people in it. Because the SDLC and CMDB do not share lineage, evidence, or control results, trust is created manually through CAB’s, approvals, documentation, screenshots, and retrospective audit trails. https://www.kosli.com/blog/enhanced_environment_compliance_with_environment_policies/ Fri, 21 Nov 2025 12:33:05 +0000 https://www.kosli.com/blog/enhanced_environment_compliance_with_environment_policies/ We’re excited to announce an important enhancement to Kosli that will improve how environment compliance is managed across your organization. Starting with our next release, all compliance evaluation for Kosli environments will be consolidated through our powerful Environment Policies feature. What’s Changing This update consolidates compliance configuration into a more flexible and powerful system by: Removing the existing “Require Trail Compliance” setting from both the UI and CLI Automatically generating new Environment Policies based on your current compliance settings Migrating all existing environments to use Environment Policies Impact on Your Organization No disruption to your current compliance status. https://www.kosli.com/blog/building_the_future_of_software_delivery_controls_inside_the_finos_sdlc_governance_working_group/ Thu, 13 Nov 2025 22:04:56 +0000 https://www.kosli.com/blog/building_the_future_of_software_delivery_controls_inside_the_finos_sdlc_governance_working_group/ Building the Future of Software Delivery Controls: Inside the FINOS SDLC Governance Working Group In October, technologists from across the financial industry gathered in New York for OSFF 2025 where the general theme was clear: open collaboration has moved from promises to proof. Projects like Fluxnova and OpenGris showed how institutions can build shared, production-grade infrastructure. The Common Cloud Controls and AI Governance Framework demonstrated that regulatory assurance can be achieved collaboratively, not competitively. https://www.kosli.com/blog/storage_and_story_why_artifact_repositories_need_provenance/ Thu, 13 Nov 2025 06:30:26 +0000 https://www.kosli.com/blog/storage_and_story_why_artifact_repositories_need_provenance/ How Artifactory and Kosli Create a Complete Chain of Custody for Your Software The Problem with “What” An artifact repository like JFrog Artifactory is a cornerstone of modern DevOps. It stores binaries, versions, and release bundles — your complete “what.” But when audits or incidents happen, the question quickly shifts from what to how: “How did this artifact get here — and can we trust it?” If all you have is a warehouse of files, you’re left scrambling to reconstruct the story. https://www.kosli.com/blog/how_to_automate_change_management_evidence_using_kosli_and_servicenow/ Thu, 13 Nov 2025 05:21:23 +0000 https://www.kosli.com/blog/how_to_automate_change_management_evidence_using_kosli_and_servicenow/ The Problem: Approvals Waiting on Proof Are your deployments getting stuck waiting for approvals? Your code is ready. Your tests are green. But your ServiceNow change ticket is still holding up the release. In most organizations, this isn’t a people problem or a process problem. It’s an evidence problem. Every release has to prove that it met the required checks — tests, scans, reviews, and approvals. But when that proof isn’t instantly available, everything slows down. https://www.kosli.com/blog/secrets_we_forgot_until_automation_saved_us/ Mon, 20 Oct 2025 13:56:58 +0000 https://www.kosli.com/blog/secrets_we_forgot_until_automation_saved_us/ We All Have That One Secret… That API key that has been sitting in production for ages. The personal access token that was supposed to be rotated 2 months ago. The service key that is about to expire… wait, when does it expire again? Most developers have experienced working with secrets. We create secrets, use them, and promise ourselves that we will rotate them. But somehow, the secret that was supposed to be rotated after 90 days is still standing strong after 6 months. https://www.kosli.com/blog/build-release-run-repeat-but-wheres-the-evidence/ Thu, 24 Jul 2025 11:42:48 +0000 https://www.kosli.com/blog/build-release-run-repeat-but-wheres-the-evidence/ Every Team Builds, Releases, and Runs Software. But Who Can See the Whole Picture? In every engineering organization, from fintech unicorns to 20,000-seat global bank, delivery happens in a loop. Code gets built. Releases get pushed. Systems run 24/7. Then it all happens again. This cycle isn’t an opinionated lifecycle dreamed up by a consultant or vendor, it’s just the reality of software delivery today. But here’s the problem: while Build, Release, and Run are universal, the data that proves what happened in each stage is fragmented across disconnected tools and teams. https://www.kosli.com/blog/security-and-compliance-takes-center-stage-key-insights-from-open-source-finance-forum-london-2025/ Wed, 25 Jun 2025 10:20:54 +0000 https://www.kosli.com/blog/security-and-compliance-takes-center-stage-key-insights-from-open-source-finance-forum-london-2025/ We’ve just wrapped up London’s 2025 Open Source Finance Forum (OSFF) in London and in this blog I’ll try to capture the key highlights from this year’s event while they’re still fresh. Dominant themes were the increasing prominence of legislation and governance frameworks, and what these mean for developers and practitioners. From insightful keynotes on stage to animated conversations over lunch, all around the event there appeared to be widespread agreement that it’s time to get serious about governance, compliance, and security. https://www.kosli.com/blog/the-future-of-auditing-is-agentic-ai/ Sun, 22 Jun 2025 17:16:55 +0000 https://www.kosli.com/blog/the-future-of-auditing-is-agentic-ai/ Audits are painful for developers AND compliance teams We’ve solved audits for evidence collection. With AI we’ll solve it for evidence evaluation What is the point of an SDLC audit? Audits are a slow and expensive governance loop As Software speeds up, audit evidence explodes A quick sidebar on how Kosli works… Navigating a Sea of Evidence with an Audit Co-pilot Moving from Continuous Collection to Autonomous Evaluation with Agentic What could agentic audit interfaces look like? https://www.kosli.com/blog/introducing-environment-policy-gain-unified-control-over-compliance-requirements-across-your-runtime-environments/ Wed, 11 Jun 2025 13:35:19 +0000 https://www.kosli.com/blog/introducing-environment-policy-gain-unified-control-over-compliance-requirements-across-your-runtime-environments/ In modern software development, different environments often have different compliance requirements. Your development environment might allow more flexibility, while production demands strict controls around security scans, testing, and code review. Environment Policy helps you codify these requirements and enforce them consistently. That’s why we’re excited to announce the release of Environment Policy, a new feature that gives you fine-grained control over artifact requirements across your different environments. Environment Policy lets you define, enforce, and audit compliance requirements for artifacts being deployed to specific environments like development, staging, and production. https://www.kosli.com/blog/flexible-evidence-driven-compliance-meet-koslis-custom-attestations/ Fri, 06 Jun 2025 16:35:23 +0000 https://www.kosli.com/blog/flexible-evidence-driven-compliance-meet-koslis-custom-attestations/ At Kosli, we believe that governance in software delivery shouldn’t be a bottleneck – it should be an extension of how your teams already work. That’s why we’re excited to introduce custom attestations in Kosli. Here’s the short version: ➡️ What are custom attestations? They let you record facts about your workflows – with evidence – using controls that actually match your processes. ➡️ Why does this matter? Because generic attestations can miss the mark. https://www.kosli.com/blog/kosli-changelog-may-2025/ Tue, 03 Jun 2025 10:42:56 +0000 https://www.kosli.com/blog/kosli-changelog-may-2025/ Get trail attestations via the Kosli CLI A new `get attestation` command was added to the CLI in v2.11.15. This gives you an easy way, using the attestation name, to retrieve information about attestations on either a trail or an artifact. See the docs for more details. K8S reporter helm chart improvements Scan namespaces based on regex patterns A new config parameter reporterConfig.namespacesRegex was added in the K8S reporter helm chart v1. https://www.kosli.com/blog/how-to-strengthen-your-sdlc-audit-trail-with-improved-access-control-in-kosli/ Tue, 13 May 2025 12:26:32 +0000 https://www.kosli.com/blog/how-to-strengthen-your-sdlc-audit-trail-with-improved-access-control-in-kosli/ Automating SDLC Governance is one of our key use cases. Kosli gathers all of the evidence your engineering teams need for change management and audit by recording every step in their SDLC, from commit to production, across all of their CI/CD tools. But robust SDLC governance doesn’t just depend on gathering all the necessary data - it also depends on controlling who can add to that data. And that’s exactly what our new access control feature solves. https://www.kosli.com/blog/generating-and-tracking-sboms-with-kosli-enhancing-software-security-and-supply-chain-transparency/ Wed, 23 Apr 2025 11:21:47 +0000 https://www.kosli.com/blog/generating-and-tracking-sboms-with-kosli-enhancing-software-security-and-supply-chain-transparency/ Software Bill of Materials (SBOMs) are crucial for maintaining software security and supply chain transparency. They provide a detailed list of all components, libraries, and dependencies within a software application, enabling organizations to identify and address potential vulnerabilities, license compliance issues, and other risks. By generating and tracking SBOMs in Kosli, you can establish a centralized and auditable repository for your software’s supply chain information. This allows you to: *Track component provenance*: Understand the origin and history of each software component, ensuring that you’re using trusted and verified sources. https://www.kosli.com/blog/kosli-changelog-march-2025/ Wed, 02 Apr 2025 10:31:15 +0000 https://www.kosli.com/blog/kosli-changelog-march-2025/ It is now possible to authenticate to Bitbucket using access tokens. As of CLI v2.11.10, CLI commands that communicate with Bitbucket can use the `- -bitbucket-access-token` flag to authenticate with Bitbucket instead of the user-tied app passwords. This ensures that your CI pipelines don’t break if users leave. App rebrand Kosli has introduced a new brand alongside an updated version of www.kosli.com. As part of this evolution, our app has been refreshed with a polished new look, featuring updated colors and a brand-new logo. https://www.kosli.com/blog/a-release-workflow-in-kosli/ Thu, 20 Mar 2025 15:19:42 +0000 https://www.kosli.com/blog/a-release-workflow-in-kosli/ Overview A feature we often get asked about at Kosli is whether we can help support a release/promotion workflow: a workflow that deploys a known set of Artifacts from one runtime environment (eg beta/staging) into another runtime environment (eg production), typically in parallel. For example, in the graphic below, the older versions of saver and differ in aws-prod would be replaced by newer versions from aws-beta. The simple answer is we can help, and in this blog we show the release workflow in the Kosli cyber-dojo demo project (an open sourced application for practising TDD from your browser). https://www.kosli.com/blog/kosli-raises-10-million-series-a-from-deutsche-bank-and-heavybit-to-transform-software-delivery-governance/ Thu, 20 Mar 2025 14:07:56 +0000 https://www.kosli.com/blog/kosli-raises-10-million-series-a-from-deutsche-bank-and-heavybit-to-transform-software-delivery-governance/ We are delighted to announce that Kosli has raised $10 million in Series A funding. The round was led by Deutsche Bank’s Corporate Venture Capital (CVC) group, with participation from Heavybit, Defined, Transpose Platform, and a number of angel investors. Alongside this funding milestone we are launching Kosli Enterprise, a new offering designed to meet the complex governance and compliance needs of large financial institutions. Kosli Enterprise includes enhanced support for organizations who require our expertise on how to map high level GRC requirements to the fast moving world of DevOps and CI/CD. https://www.kosli.com/blog/kosli-changelog-february-2025/ Wed, 26 Feb 2025 10:34:27 +0000 https://www.kosli.com/blog/kosli-changelog-february-2025/ Introduce Custom attestation types We’ve recently introduced Custom Attestation Types, a powerful new feature that gives you greater flexibility and control over your attestations in Kosli. Why we built this The Kosli CLI provides several typed attest commands, such as kosli attest snyk, kosli attest jira, etc. Each attest command automatically interprets its own specialised input format and evaluates its compliance. If you’re using a tool that does not yet have a corresponding kosli attest command then, until now, you’ve had to use the “untyped” kosli attest generic command, which can attest anything, but does not calculate a true/false compliance value for you. https://www.kosli.com/blog/migrating-generic-attestations-to-custom-attestations/ Thu, 06 Feb 2025 08:03:10 +0000 https://www.kosli.com/blog/migrating-generic-attestations-to-custom-attestations/ The kosli attest generic CLI command can attest anything, but unlike a “typed” attestation (such as kosli attest snyk), it does not calculate a true/false compliance value for you. Customers have reported that while a generic “escape hatch” is useful, it nevertheless has some drawbacks: It can take some effort to calculate a true/false value in some cases. It would be nice to split generic attestations into different types. Most importantly, many customers would prefer it if Kosli calculated all compliance values, as part of a zero trust model. https://www.kosli.com/blog/kosli-joins-finos-to-collaborate-on-devops-controls-and-change-compliance-in-financial-services/ Wed, 05 Feb 2025 10:54:43 +0000 https://www.kosli.com/blog/kosli-joins-finos-to-collaborate-on-devops-controls-and-change-compliance-in-financial-services/ We are thrilled to announce that Kosli has joined the Fintech Open Source Foundation (FINOS), a Linux Foundation organization dedicated to fostering collaboration and innovation in financial services technology. Our goal is to engage the community establishing common standards and automation practices for DevOps controls and change management automation. Why did we join FINOS? The financial services industry faces unique challenges in balancing rapid innovation with stringent regulatory requirements and security standards. https://www.kosli.com/blog/moving-to-a-zero-trust-model-with-kosli-s-custom-attestations/ Mon, 03 Feb 2025 14:32:29 +0000 https://www.kosli.com/blog/moving-to-a-zero-trust-model-with-kosli-s-custom-attestations/ The Kosli CLI provides several attest commands, such as kosli attest snyk, kosli attest jira, etc. These attestations are “typed” - each one knows how to interpret its own particular kind of input. For example, kosli attest snyk interprets the sarif file produced by a snyk container scan to determine the true/false value for that individual attestation. If you’re using a tool that does not yet have a corresponding kosli attest command then, until now, you’ve had to use the “untyped” kosli attest generic command, which can attest anything, but it cannot calculate a true/false compliance value for you. https://www.kosli.com/blog/making-kosli-generic-attestations/ Mon, 03 Feb 2025 10:06:15 +0000 https://www.kosli.com/blog/making-kosli-generic-attestations/ Update! We recommend using the new custom attestations instead of generic attestations. Please see these two new blog posts: Migrating from Generic to Custom Attestations: A zero-trust approach to compliance Moving to a zero-trust model with Kosli’s custom attestations All but one of the kosli attest commands calculate the true/false compliance value for you based on their type. For example, kosli attest snyk can read the sarif output file produced by a snyk scan. https://www.kosli.com/blog/kosli-changelog-january-2025/ Fri, 31 Jan 2025 10:48:11 +0000 https://www.kosli.com/blog/kosli-changelog-january-2025/ Make the kosli-dev/setup-cli-action verified in the GitHub Marketplace Kosli has become an official GitHub Technology Partner. As part of this partnership, our setup-kosli-cli GitHub Action has been verified by GitHub, providing users with additional confidence when incorporating Kosli into their GitHub workflows. You can find our verified setup-kosli-cli action in the GitHub Marketplace, ready to help you integrate Kosli’s continuous compliance capabilities into your GitHub workflows. Include Jira fields in Jira Ticket attestation In the Kosli CLI, the jira attestation command now accepts a --jira-issue-fields flag, which allows you to attach additional information provided by the Jira API. https://www.kosli.com/blog/kosli-changelog-december-2024/ Thu, 19 Dec 2024 10:25:13 +0000 https://www.kosli.com/blog/kosli-changelog-december-2024/ A short month for the Product team is no excuse for shipping less changes on the application, improving its functionality one update at a time! Having our users’ experience as our focus, and taking into account their feedback and feature requests, we have upgraded our Legacy Flows to Trails - read below 👇🏼 As always, we’d love to hear your comments and feedback on the updates we provide regularly. Share them in our Slack Community or reach out to the support team at support@kosli. https://www.kosli.com/blog/kosli-changelog-november-2024/ Thu, 28 Nov 2024 21:27:11 +0000 https://www.kosli.com/blog/kosli-changelog-november-2024/ Another month another changelog packed with updates that improve the functionality of the platform and enhance user experience. As always, we’d love to hear your comments and feedback on the updates we provide regularly. Share them in our Slack Community or reach out to the support team at support@kosli.com New static API documentation You can now access a static version of the API reference documentation in Kosli docs. The interactive swagger API docs remain available within the app, accessible after logging in or signing up. https://www.kosli.com/blog/binary-provenance-sboms-and-the-software-supply-chain-for-humans/ Tue, 05 Nov 2024 15:11:03 +0000 https://www.kosli.com/blog/binary-provenance-sboms-and-the-software-supply-chain-for-humans/ “What’s really running in prod?” Every engineer will hear these immortal words on a long enough timeline (or career). It might be because a new security zero day was dropped, alerts fired from the depths of a vast microservice architecture, or you might just be looking to know what commit was actually tested. Either way, it often comes with the promise of a stressful day. Let’s demystify three critical concepts for delivering secure, reliable software: binary provenance, software bills of materials (SBOMs) and the software supply chain. https://www.kosli.com/blog/your-fastpass-to-the-production-superhighway/ Tue, 05 Nov 2024 13:59:45 +0000 https://www.kosli.com/blog/your-fastpass-to-the-production-superhighway/ With software delivery, speed is everything. But how do you balance rapid delivery with quality, security, and compliance? To answer this question, let’s embark on a journey - one that starts in a software factory to running on the production superhighway. From Factory Floor to Open Road Gene Kim’s “The Phoenix Project” introduced us to the software factory, applying lean manufacturing principles to code production. But what happens next? DevOps orchestrates a vast network of these software app factories. https://www.kosli.com/blog/using-kosli-to-signal-a-change-freeze/ Tue, 05 Nov 2024 12:37:30 +0000 https://www.kosli.com/blog/using-kosli-to-signal-a-change-freeze/ Like many software teams, here at Kosli we use a continuous delivery approach. This means that every commit to our trunk is automatically built, tested, and deployed to our production-like staging environment. This provides us with the confidence that every build is potentially deployable to production. We use our staging environment to perform final exploratory testing before we deploy to production. Deployments to production are “on-demand”. Any developer on the team can deploy the current staging version to production, as needed, using a simple command. https://www.kosli.com/blog/kosli-changelog-october-2024/ Mon, 28 Oct 2024 09:57:58 +0000 https://www.kosli.com/blog/kosli-changelog-october-2024/ Welcome to October’s edition of the Kosli Changelog. The season might be spooky, but the product updates we delivered this month are far from it. Quality over quantity is the motto for this month, with the updates focusing on logical environments and taking snapshots of all ECS clusters in an AWS account. As always, get involved with how Kosli takes shape in our Slack Community. Let a real environment say that it is part of a logical environment Option for a physical environment to say it is part of a logical environment. https://www.kosli.com/blog/migration-announcement-transitioning-from-legacy-flows-to-flows-with-trails/ Thu, 24 Oct 2024 10:27:14 +0000 https://www.kosli.com/blog/migration-announcement-transitioning-from-legacy-flows-to-flows-with-trails/ We are excited to announce that we will be migrating your Kosli Flows data to Flows with Trails. This transition will unlock access to our latest features, such as the first-class Sonar integration, as well as upcoming ones like environment compliance policies and custom attestation types. Legacy Flows have served us well in the early stages, where they were designed to map the value stream of producing a single software artifact. https://www.kosli.com/blog/using-kosli-attest-in-github-action-workflows-some-tips/ Mon, 14 Oct 2024 07:16:51 +0000 https://www.kosli.com/blog/using-kosli-attest-in-github-action-workflows-some-tips/ The heart of Kosli’s functionality lies in its attest command. Think of it as a digital notary for your CI process. Every time you complete a significant step in your pipeline (e.g., a security scan, a build, a deployment, etc) you use kosli attest to create an immutable record of that event. However, integrating Kosli into your existing CI workflow isn’t always straightforward. You might find yourself grappling with questions like: https://www.kosli.com/blog/record-an-immutable-record-of-all-changes-made-to-your-launchdarkly-feature-flags-with-kosli/ Thu, 03 Oct 2024 09:45:27 +0000 https://www.kosli.com/blog/record-an-immutable-record-of-all-changes-made-to-your-launchdarkly-feature-flags-with-kosli/ We’re thrilled to introduce our latest integration with LaunchDarkly! This powerful combination allows you to keep an immutable record of all changes made to your feature flags using Kosli Trails, ensuring you have the information you need for audits, compliance checks, security investigations, and incident responses. What This Integration Does With the Kosli and LaunchDarkly integration, every change to your feature flags is captured and recorded within Kosli. You’ll get a detailed, versioned history of how feature flags changed over time, including who made the changes and when they occurred. https://www.kosli.com/blog/kosli-changelog-september-2024/ Mon, 30 Sep 2024 12:15:38 +0000 https://www.kosli.com/blog/kosli-changelog-september-2024/ Welcome to September’s edition of the Kosli Changelog. As we brace ourselves for a wet and wild autumn our focus remains sharp on delivering updates that enhance the compliance of your software delivery processes. This month, we’ve rolled out an exciting new integration, features and UXUI improvements that we can’t wait for you to explore. As always, get involved with how Kosli takes shape in our Community. LaunchDarkly Integration We’re excited to announce our new integration with LaunchDarkly! https://www.kosli.com/blog/introducing-koslis-logical-environments-gain-total-visibility-and-control-over-complex-systems/ Tue, 10 Sep 2024 12:03:48 +0000 https://www.kosli.com/blog/introducing-koslis-logical-environments-gain-total-visibility-and-control-over-complex-systems/ In today’s fast-paced development landscape, environments are no longer simple or isolated. You’re managing resources that span across development stages, geographies, and technologies. And as those environments grow more complex, so does the need for a more logical and efficient way to manage them. That’s why we’re excited to introduce Logical Environments — a powerful new feature designed to give you the ultimate control and clarity over your multi-resource, distributed environments. https://www.kosli.com/blog/streamline-code-quality-integrating-sonarcloud-and-sonarqube-scanning-with-kosli-for-automated-compliance/ Tue, 03 Sep 2024 12:22:40 +0000 https://www.kosli.com/blog/streamline-code-quality-integrating-sonarcloud-and-sonarqube-scanning-with-kosli-for-automated-compliance/ Static code analysis is an important part of testing your software to ensure it is release-ready. In contrast to dynamic testing, which involves executing your code to find errors, static analysis uses automated tools to “look” through the code, without executing it, to find potential errors (including potential security issues) and bugs. Since the code does not need to be executed, static testing can begin much earlier in development than dynamic testing. https://www.kosli.com/blog/kosli-changelog-august-2024/ Mon, 02 Sep 2024 08:47:35 +0000 https://www.kosli.com/blog/kosli-changelog-august-2024/ This month we are happy to announce that the logical environments feature is now live! This has been a big project for the team and we’re delighted to deliver it this month. Logical environments will enable you to group environments of different types so you can have a picture of what’s really happening in “Production” - or any other grouping you choose to make. Another neat edition is the ability to auto-create the flow and trail in attest commands. https://www.kosli.com/blog/just-the-facts--%EF%B8%8F-introducing-software-delivery-evidence-management-sdem/ Wed, 28 Aug 2024 12:47:33 +0000 https://www.kosli.com/blog/just-the-facts--%EF%B8%8F-introducing-software-delivery-evidence-management-sdem/ The DevOps Detective: “Just the facts” Picture a gruff-voiced sergeant from the classic TV series “Dragnet,” but instead of solving crimes, they are navigating the complex world of software delivery. Their catchphrase, “Just the facts” isn’t just a catch phrase – it’s the mantra we need in today’s high-stakes world of DevOps, AppSec and Compliance. From Punch Cards to Pixels: The Evolution of Software Governance Remember punch cards? If you don’t, count yourself lucky. https://www.kosli.com/blog/from-lean-manufacturing-to-devops-the-software-factory-revolution/ Wed, 28 Aug 2024 11:53:55 +0000 https://www.kosli.com/blog/from-lean-manufacturing-to-devops-the-software-factory-revolution/ In our journey through the evolution of compliance in the DevOps era, we’ve seen the limitations of traditional compliance methods and the high stakes of compliance failures. Manual processes, siloed teams, and a lack of automation have turned compliance into a bottleneck, hindering the agility promised by DevOps. In this third article, we’ll trace the roots of DevOps back to lean manufacturing principles and introduce the concept of the “software factory” as a revolutionary approach to integrating compliance and agility. https://www.kosli.com/blog/the-high-stakes-of-sdlc-compliance-lessons-from-eve-onlines-battle-of-b-r5rb-and-equifax/ Wed, 28 Aug 2024 11:22:57 +0000 https://www.kosli.com/blog/the-high-stakes-of-sdlc-compliance-lessons-from-eve-onlines-battle-of-b-r5rb-and-equifax/ n our previous exploration of The Punchcard Paradigm, we traced the roots of modern compliance practices back to the early days of computing. We saw how the physical constraints of punchcards shaped programming practices and how those practices lingered long after the technology had evolved. Now, let’s dive deeper into why modern compliance is more critical than ever in today’s digital landscape. Why Compliance Matters At its core, compliance is about ensuring the reliability, security, and trustworthiness of our systems and processes. https://www.kosli.com/blog/kosli-changelog-july-2024/ Tue, 23 Jul 2024 08:31:18 +0000 https://www.kosli.com/blog/kosli-changelog-july-2024/ Welcome to July’s edition of the Kolsi Changelog, This month, we’re excited to introduce our latest updates and improvements designed to enhance your software evidence management experiance. So if you havent reached for the beach towel and sun cream yet read on to discover all the new enhancements we’ve rolled out! 💻 Slack integration now available in Kosli app We’re excited to announce that Slack integration has now been added to the Kosli app, This feature allows you to automate DevOps workflows by sending real-time notifications directly to your Slack channels. https://www.kosli.com/blog/the-punchcard-paradigm-tracing-the-roots-of-modern-compliance/ Mon, 08 Jul 2024 12:28:28 +0000 https://www.kosli.com/blog/the-punchcard-paradigm-tracing-the-roots-of-modern-compliance/ In the early days of computing, creating software was a physical act, more akin to factory work than the streamlined digital process we know today. Programmers meticulously transcribed logic onto coding sheets, distinguishing zeros from ‘Os’ and ones from ‘Is’. These cryptic symbols formed the instructions that would be punched into thick card stock decks. It was a laborious process that resembled typing pools, but it offered an important quality checkpoint – the ability to visually review the punched holes against the coding sheets, validating the integrity of the programs before they ran. https://www.kosli.com/blog/changelog-june/ Wed, 19 Jun 2024 12:32:59 +0000 https://www.kosli.com/blog/changelog-june/ June is here and the beer garden is calling our name, but that hasnt stopped us shipping some great new improvements this month. We have a few new features and quality of life enhancements on our UX and UI that we think you’ll like including our new Dashboards, avalible now in Beta! 📊 Dashboards Beta is now live Kosli introduces the Organization Dashboard, offering leadership a comprehensive view of compliance metrics. https://www.kosli.com/blog/kosli-and-swiss-digital-network-partner-to-enhance-continuous-compliance-and-verification/ Fri, 24 May 2024 09:22:03 +0000 https://www.kosli.com/blog/kosli-and-swiss-digital-network-partner-to-enhance-continuous-compliance-and-verification/ We are thrilled to announce a strategic partnership between Kosli and Swiss Digital Network (SDN). This collaboration is set to revolutionize how Swiss organizations approach Continuous Compliance and Verification, combining the strengths of both companies to enabeling regulated sectors like finance and healthcare the power to deliver software with security, compliance, and speed About Swiss Digital Network Swiss Digital Network is a leading consulting network known for its expertise in digital transformation. https://www.kosli.com/blog/kosli-changelog-april-2024/ Mon, 20 May 2024 15:13:37 +0000 https://www.kosli.com/blog/kosli-changelog-april-2024/ We’ve kept ourselves busy this April, in spite of the holidays and the call of the sunny outdoors. This month, Kosli has been improved with a number of new features and quality of life enhancements that we think you’ll like. Add support for AWS Code Build environment default variables in the cli If you use AWS Code Build as your CI system, Kosli CLI (starting from v2.9.1) will default the following flag values for you: https://www.kosli.com/blog/why-weve-open-sourced-our-secure-sdlc-process-template/ Tue, 14 May 2024 14:49:14 +0000 https://www.kosli.com/blog/why-weve-open-sourced-our-secure-sdlc-process-template/ One of the big things we’ve learned since starting Kosli is that engineers often struggle to define an SDLC for compliance purposes. That doesn’t mean they don’t know how to deliver secure, quality software. They’ve just never had to actually define a process for how they do it. Perfectly capable engineers can spend years shipping great products and features without ever having to properly define and standardize their SDLC. But that changes when they move into a regulated industry, or are faced with achieving a security standard like SOC2 or ISO27001. https://www.kosli.com/blog/kosli-changelog-march-2024/ Wed, 17 Apr 2024 13:42:23 +0000 https://www.kosli.com/blog/kosli-changelog-march-2024/ Spring is definitely here! Northern Europe is starting to thaw and the sun is making the occasional appearance. Here’s some of the latest changes we’ve prepared for you. Tags for Flows & Environments Meet Tags - enabling you to add metadata to your Kosli Environments and Flows. Using the latest v2.8.8 of the CLI you can add key/value pairs to Flows or Environments. You can see these tags over on the public cyber-dojo project in Kosli: https://app. https://www.kosli.com/blog/how-to-achieve-soc-2-type-2-in-90-days-with-drata-and-kosli/ Tue, 19 Mar 2024 15:20:25 +0000 https://www.kosli.com/blog/how-to-achieve-soc-2-type-2-in-90-days-with-drata-and-kosli/ Every software purchasing decision has a security impact, and with information security threats on the rise, companies are increasingly concerned about third party vendor risks. That’s why for companies to sell software these days it is no longer enough to be secure, you also need to be able to prove it. Over the last year or so we’ve noticed an increasing expectation that software companies, even SMEs and startups, should be SOC 2 compliant. https://www.kosli.com/blog/how-to-record-an-audit-trail-for-any-devops-process-with-kosli-trails/ Wed, 06 Mar 2024 13:36:28 +0000 https://www.kosli.com/blog/how-to-record-an-audit-trail-for-any-devops-process-with-kosli-trails/ In this article I’m going to introduce Kosli Trails. This is a new feature that allows you to record an audit trail for any DevOps process. It’s already in production and being used to record Terraform pipelines, CI processes, server access, feature toggles, and more. How it all started - change management for DevOps Like most software startups, in Kosli’s early stage, we focused on solving a narrow problem: we wanted to solve change management for regulated software teams by recording the facts in DevOps pipelines. https://www.kosli.com/blog/how-to-track-infrastructure-as-code-changes-in-terraform-with-kosli/ Wed, 06 Mar 2024 13:03:59 +0000 https://www.kosli.com/blog/how-to-track-infrastructure-as-code-changes-in-terraform-with-kosli/ Infrastructure as Code (IaC) has emerged as a cornerstone for efficiently managing and provisioning infrastructure. Among the many tools available, Terraform has gained unparalleled popularity, offering a declarative approach to defining and deploying infrastructure. But as organizations increasingly embrace IaC to achieve scalability, consistency, and agility, a critical challenge emerges: how to ensure compliance and authorization for infrastructure changes. With rapid and dynamic transformations in the digital realm, maintaining regulatory adherence, security standards, and internal policies becomes increasingly challenging. https://www.kosli.com/blog/kosli-changelog-february-2023-1/ Tue, 05 Mar 2024 14:24:35 +0000 https://www.kosli.com/blog/kosli-changelog-february-2023-1/ It’s already March, the sun is starting to show up again here in Northern Europe, the snow is melting away, and the Kosli team has been hard at work, making good use of that extra leap day in February! This month we are delivering some performance improvements, some updates to existing features, and some exciting new features. Introducing Trails We noticed that some of our customers were creating “fake” artifacts so they could keep records for critical changes outside of pipelines. https://www.kosli.com/blog/kosli-achieves-soc-2-type-2-compliance-strengthening-our-commitment-to-security/ Tue, 05 Mar 2024 13:52:35 +0000 https://www.kosli.com/blog/kosli-achieves-soc-2-type-2-compliance-strengthening-our-commitment-to-security/ We are thrilled to announce that Kosli has successfully completed a SOC 2 Type 2 audit, demonstrating our commitment to the security, quality, and operational excellence our customers expect. This achievement builds upon our existing SOC 2 Type 1 compliance, further solidifying our dedication to robust security practices. What is SOC 2 Type 2 Compliance? A SOC 2 Type 2 report goes beyond simply documenting security policies and procedures. It involves an independent audit that verifies the effectiveness of those controls over a specific period. https://www.kosli.com/blog/kosli-changelog-january-2024/ Wed, 31 Jan 2024 08:47:04 +0000 https://www.kosli.com/blog/kosli-changelog-january-2024/ The Kosli team starts the new year with endless energy and some exciting news for you! This month, we’ve delivered not only bug fixes and performance improvements but also a couple of highly requested features. More details about them are provided further in the post. Rename flows and environments Long awaited feature to rename flows and environments is now available in CLI v2.7.3 and later, and also in the API. https://www.kosli.com/blog/maintaining-security-with-devops-compliance/ Fri, 26 Jan 2024 11:32:16 +0000 https://www.kosli.com/blog/maintaining-security-with-devops-compliance/ DevOps teams play an increasingly important role in all types of software companies. From legacy organizations to cloud-native startups, the DORA metrics tell us that the performance of the DevOps team correlates very closely with the overall success of the business. But, as DevOps starts to be adopted across highly regulated industries, we no longer live in a world where it’s ok to “move fast and break things.” For banks, healthcare companies, car manufacturers, etc. https://www.kosli.com/blog/how-to-build-devops-automations-with-kosli-actions/ Wed, 24 Jan 2024 09:24:22 +0000 https://www.kosli.com/blog/how-to-build-devops-automations-with-kosli-actions/ Kosli allows regulated organizations to scale their continuous delivery so that they can deploy changes to production at maximum speed without the risk of non-compliance. It does this by recording all of the data you need to get through regulatory events like audits. With Kosli you can record everything that happens in your software delivery process from initial requirement all the way through to deployment to production. Events like builds, tests, scans, code reviews, etc. https://www.kosli.com/blog/devops-change-management-content-hub/ Wed, 17 Jan 2024 12:35:17 +0000 https://www.kosli.com/blog/devops-change-management-content-hub/ The DevOps Change Management Content Hub is a set of resources for modern software teams who struggle to align their DevOps automation with their change management requirements. In our experience, cloud native teams with lots of automation struggle when they run into a compliance event like an audit, or need to achieve a security standard like SOC2 or ISO27001. How do you comply without adopting old fashioned change management practices and screwing up your DevOps? https://www.kosli.com/blog/continuous-compliance-content-hub/ Wed, 17 Jan 2024 11:42:05 +0000 https://www.kosli.com/blog/continuous-compliance-content-hub/ The Continuous Compliance content hub is a set of guides for DevOps teams who need to move fast while remaining in compliance for audit and security purposes. We know that the old change management processes for software releases that happened once every 6 months don’t scale for DevOps teams who want to deploy every day. This is where Continuous Compliance comes in. You can deploy software freely to production with compliance baked into every change and these resources are designed to help you do that. https://www.kosli.com/blog/a-guide-to-continuous-security-monitoring-tools-for-devops/ Sat, 13 Jan 2024 03:13:28 +0000 https://www.kosli.com/blog/a-guide-to-continuous-security-monitoring-tools-for-devops/ DevOps has accelerated the delivery of software, but it has also made it more difficult to stay on top of compliance issues and security threats. When applications, environments and infrastructure are constantly changing it becomes increasingly difficult to maintain a handle on compliance and security. For fast-moving teams, real time security monitoring has become essential for quickly identifying risky changes so they can be remediated before they result in security failure. https://www.kosli.com/blog/understanding-iso27001-security-and-why-devops-teams-choose-kosli/ Sat, 13 Jan 2024 03:09:08 +0000 https://www.kosli.com/blog/understanding-iso27001-security-and-why-devops-teams-choose-kosli/ Modern software delivery teams find themselves under constant pressure to maintain security and compliance without slowing down the speed of development. This usually means that they have to find a way of using automation to ensure robust governance processes that can adapt to evolving cyber threats and new regulatory requirements. Achieving compliance with ISO 27001, an international standard for information security management, is one of the clearest ways for companies to signal that they take these issues seriously, and have adequate systems in place to guarantee security. https://www.kosli.com/blog/the-5-best-vanta-alternatives-for-security-compliance/ Tue, 19 Dec 2023 14:39:13 +0000 https://www.kosli.com/blog/the-5-best-vanta-alternatives-for-security-compliance/ Over the last two to three years, we’ve seen increasing demands on all kinds of software companies to comply with security and compliance standards. More and more organizations are looking to benefit by moving their operations to the cloud, but this increases the potential for cybersecurity attacks and breaches. A new type of compliance vendor has emerged to help companies that must comply with the security standards designed to ward off cybersecurity threats. https://www.kosli.com/blog/kosli-changelog-december-2023/ Tue, 19 Dec 2023 14:06:08 +0000 https://www.kosli.com/blog/kosli-changelog-december-2023/ Christmas is around the corner and like many we at Kosli are also looking forward to the upcoming holiday break. So we will share the December changelog with you a bit earlier than usual. This month we have done a lot of work on improving code quality and security, and we continue working on some cool big features that you will see soon. But in the meantime, here are some Christmas goodies for December 🎅 https://www.kosli.com/blog/the-rising-trend-of-data-breaches-and-critical-vulnerabilities-in-2023/ Tue, 19 Dec 2023 13:29:07 +0000 https://www.kosli.com/blog/the-rising-trend-of-data-breaches-and-critical-vulnerabilities-in-2023/ As the year comes to an end, we are taking a look back on the major data breaches and vulnerabilities that disrupted the security of both small, and large and very important organizations around the world and across all industries. According to a recently published report: in the first three quarters of 2023, the number of ransomware attacks increased by almost 70% compared to the first three quarters of 2022 and over 80% of data breaches involved data stored in the cloud. https://www.kosli.com/blog/the-three-ways-of-devops-governance/ Tue, 12 Dec 2023 00:44:26 +0000 https://www.kosli.com/blog/the-three-ways-of-devops-governance/ In this blog post, I take a look at modern IT governance by applying the classic “Three Ways” of DevOps principles originally introduced by Gene Kim in his seminal 2012 article. “We assert that the Three Ways describe the values and philosophies that frame the processes, procedures, practices of DevOps, as well as the prescriptive steps.” Here’s a quick reminder of the three ways set out by Gene: The First Way: Flow/Systems Thinking The Second Way: Amplify Feedback Loops The Third Way: Culture of Continual Experimentation and Learning For Gene, all DevOps patterns can be derived from these three principles. https://www.kosli.com/blog/how-to-detect-unauthorized-changes-in-production-with-kosli/ Mon, 11 Dec 2023 19:25:11 +0000 https://www.kosli.com/blog/how-to-detect-unauthorized-changes-in-production-with-kosli/ Let’s not beat around the bush: change management is a prehistoric discipline desperately in need of fresh thinking. Its “best practices” are frankly terrible. Nobody honestly thinks manually filling out change tickets, waiting for CAB meetings and external approvals does anything to meaningly reduce risk. Change management is slow, inconsistent, doesn’t scale, and is prone to error. Of course, lots of teams know this and more and more of them are delivering change via automated approvals in their DevOps pipelines. https://www.kosli.com/blog/backstage-developer-portal-content-hub/ Thu, 07 Dec 2023 09:57:24 +0000 https://www.kosli.com/blog/backstage-developer-portal-content-hub/ *Disclaimer: The complete Backstage guide is open sourced on Github and you can suggest changes to the content if you know it needs updates. We continuously review the pull requests and improve the content based on your feedback.* Backstage, a development portal, allows developers to maintain constant vigilance over the health of their networks and services, no matter where they are deployed. This is invaluable to teams, as many different deployments across different environments need to be monitored to ensure security and compliance. https://www.kosli.com/blog/kosli-changelog-november-2023/ Thu, 30 Nov 2023 10:49:24 +0000 https://www.kosli.com/blog/kosli-changelog-november-2023/ November has been a busy month for our team as we dive deep into crafting a new big feature. But in the midst of the coding chaos and hot debates, we’ve still managed to sprinkle in some cool smaller features for you in this month’s changelog. Add a parameter to specify the approver in an approval Approvals for deployments are a common and important part of the software delivery process. But who approved it? https://www.kosli.com/blog/iso-27001-compliance-everything-you-need-to-know/ Tue, 21 Nov 2023 10:13:01 +0000 https://www.kosli.com/blog/iso-27001-compliance-everything-you-need-to-know/ Let’s talk about what ISO 27001 compliance means for the tech team. If you’re a CTO, DevOps team lead, or cyber security specialist, you’ll have a lot of plates spinning at any given point in time. You need to ensure and maintain security protocols and compliance without hindering the development team’s ability to test and deploy new code (often at scale). It’s a constant battle to align development speed with governance tasks like audit, compliance, and security. https://www.kosli.com/blog/demystifying-fedramp-and-nist-for-continuous-compliance/ Tue, 21 Nov 2023 09:52:16 +0000 https://www.kosli.com/blog/demystifying-fedramp-and-nist-for-continuous-compliance/ Today, federal agencies rely extensively on Cloud-based SaaS applications for everything from payment processing and document management, to data security and employee workflow automation. These tools help departments to function very efficiently, but because they are being used for essential government functions, it’s vital that they are safe and secure. For example, personnel at The Pentagon or The Department of Homeland Security can’t just choose any software vendor in the marketplace. https://www.kosli.com/blog/how-to-automate-snyk-container-scanning-of-your-production-environments/ Fri, 17 Nov 2023 09:40:36 +0000 https://www.kosli.com/blog/how-to-automate-snyk-container-scanning-of-your-production-environments/ If you’re using containers to deploy your software, it is important to be aware of potential vulnerabilities within your container images. These may be introduced through dependencies in your built image, or perhaps through dependencies within the base image(s) used to build your image. Snyk is one of the most popular tools for scanning container images for vulnerabilities - you may well already run a snyk container test when you deploy code through your CI pipeline. https://www.kosli.com/blog/succeeding-with-backstage-4-backstage-as-part-of-a-broader-developer-productivity-engineering-dpe-initiative/ Mon, 13 Nov 2023 18:35:38 +0000 https://www.kosli.com/blog/succeeding-with-backstage-4-backstage-as-part-of-a-broader-developer-productivity-engineering-dpe-initiative/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This final article in the “Succeeding with Backstage” series focuses on how you can incorporate Backstage as part of a broader developer productivity engineering (DPE) initiative. https://www.kosli.com/blog/succeeding-with-backstage-3-improving-adoption/ Mon, 13 Nov 2023 18:29:06 +0000 https://www.kosli.com/blog/succeeding-with-backstage-3-improving-adoption/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This third installment of the “Succeeding with Backstage” series explores how you can improve the adoption of Backstage within your organization. https://www.kosli.com/blog/how-to-automate-change-management-for-devops/ Sat, 11 Nov 2023 01:30:12 +0000 https://www.kosli.com/blog/how-to-automate-change-management-for-devops/ Until fairly recently, software releases happened once or twice a year, maybe once a quarter. This gave IT teams plenty of time to verify and manually sign off on every change before they were released in big batches during a bank holiday weekend or off-peak hours. Typically, they’d produce paperwork to show that all changes had been properly tested, and then those changes would be approved for release in a change advisory board meeting (CAB). https://www.kosli.com/blog/succeeding-with-backstage-building-and-maintaining-custom-plugins/ Fri, 10 Nov 2023 16:07:56 +0000 https://www.kosli.com/blog/succeeding-with-backstage-building-and-maintaining-custom-plugins/ This second installment of the “Succeeding with Backstage” explains how to create a custom Backstage plugin. For many use cases, customizing the platform’s look using the methods from the last part and integrating existing plugins will be enough to align Backstage with your organization’s needs. But what happens when the plugin directory doesn’t have a plugin that solves your particular problem? You create a custom plugin, of course. This article demonstrates how you can create custom plugins tailored to your requirements. https://www.kosli.com/blog/succeeding-with-backstage-part-1-customizing-the-look-and-feel-of-backstage/ Fri, 10 Nov 2023 15:48:39 +0000 https://www.kosli.com/blog/succeeding-with-backstage-part-1-customizing-the-look-and-feel-of-backstage/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This is the first article in the “Succeeding with Backstage” series. This series is for those with a working Backstage implementation who want to ensure smooth adoption and ongoing successful use of the tool. https://www.kosli.com/blog/kosli-changelog-october-2023/ Wed, 01 Nov 2023 09:14:30 +0000 https://www.kosli.com/blog/kosli-changelog-october-2023/ It’s spooky season and, at least here in my house, we are overflowing with costumes, pumpkins, and sweets. Happily, there’s no tricks from the Kosli team, only treats! Further API Key improvements Last month, we shared our new rotatable API keys. This month, we’ve taken steps to improve them even more. The key change here is that we never store your API keys in our database – we store a secure, one-way, hash of the API key. https://www.kosli.com/blog/implementing-backstage-3-integrating-with-existing-tools-using-plugins/ Tue, 31 Oct 2023 05:08:32 +0000 https://www.kosli.com/blog/implementing-backstage-3-integrating-with-existing-tools-using-plugins/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This third part of the “Implementing Backstage” series explains how to integrate Backstage with existing tools and plugins. https://www.kosli.com/blog/the-devops-security-and-compliance-guide/ Thu, 26 Oct 2023 03:18:22 +0000 https://www.kosli.com/blog/the-devops-security-and-compliance-guide/ The fast-paced nature of modern software development means developers are capable of deploying changes to production multiple times a day. But, while DevOps allows development teams to deliver new features faster, increased deployment frequency can make it more difficult to stay on top of security threats. It only takes one malicious or incompetent change to dramatically increase the risk exposure of an application. DevOps environments are constantly changing, so it’s a challenge to achieve a consistent cybersecurity posture. https://www.kosli.com/blog/implementing-backstage-6-deploying-backstage-on-kubernetes/ Sat, 14 Oct 2023 03:21:24 +0000 https://www.kosli.com/blog/implementing-backstage-6-deploying-backstage-on-kubernetes/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This final part of the “Implementing Backstage” series focuses on how to deploy Backstage on Kubernetes. This tutorial is a direct continuation of Using the Kubernetes Plugin in Backstage, which you should complete before tackling this one. https://www.kosli.com/blog/implementing-backstage-5-using-the-kubernetes-plugin-in-backstage/ Sat, 14 Oct 2023 03:15:05 +0000 https://www.kosli.com/blog/implementing-backstage-5-using-the-kubernetes-plugin-in-backstage/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This second last part of the “Implementing Backstage” series explains how to use the Kubernetes plugin in Backstage using real-world scenarios. https://www.kosli.com/blog/implementing-backstage-4-security-and-compliance/ Fri, 13 Oct 2023 09:28:44 +0000 https://www.kosli.com/blog/implementing-backstage-4-security-and-compliance/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think This is the fourth part of the “Implementing Backstage” series and explores how to ensure your Backstage application is secure and how Backstage can contribute to more secure practices in general. https://www.kosli.com/blog/what-is-continuous-security-monitoring-software/ Thu, 12 Oct 2023 02:16:49 +0000 https://www.kosli.com/blog/what-is-continuous-security-monitoring-software/ Many DevOps teams work proactively to meet security and compliance standards. They consider security best practices when developing software with open source components, scanning code for vulnerabilities, deploying changes, and maintaining applications and infrastructure. Security is a key feature of many of the tools they’re using, and the policies and industry standards they’re following. But, while security concerns continue to be top of mind for the software industry, the importance of continuous security monitoring over what’s actually running in production environments is often overlooked. https://www.kosli.com/blog/staying-ahead-of-threats-with-continuous-security-monitoring-tools-for-devops/ Thu, 12 Oct 2023 01:44:01 +0000 https://www.kosli.com/blog/staying-ahead-of-threats-with-continuous-security-monitoring-tools-for-devops/ According to the latest Crowdstrike report, in 2022 cloud-based exploitation increased by 95%, and there was an average eCrime breakout time of 84 minutes. Just as significantly, in 2021, the Biden administration passed an executive order to improve the nation’s cybersecurity standards. There are also upcoming laws like DORA in the European Union. So, increased cyber attacks and legislative pressures mean you need to (a) actively protect against threats and (b) prove that you are doing so. https://www.kosli.com/blog/implementing-backstage-2-using-the-core-features/ Wed, 04 Oct 2023 01:30:08 +0000 https://www.kosli.com/blog/implementing-backstage-2-using-the-core-features/ This article is the second installment of the “Implementing Backstage” series and focuses on how to use Backstage’s core features. Backstage has an extensible plugin architecture in active development and large community support and offers simplified tool management, workflow optimization, and time-saving features. However, to reap these benefits, you need to know how to use Backstage’s core features, including its software catalog, templates, documentation, and search. In this article, you’ll learn how to set up a Backstage instance, use the software catalog to manage all software in one place, and create and manage documentation. https://www.kosli.com/blog/implementing-backstage-1-getting-started/ Wed, 27 Sep 2023 00:47:54 +0000 https://www.kosli.com/blog/implementing-backstage-1-getting-started/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. Backstage is a platform for building developer portals. Originally developed internally at Spotify, it’s now open source and available through GitHub. https://www.kosli.com/blog/the-code-story-podcast-how-to-deliver-software-with-continuous-compliance-and-kosli/ Wed, 27 Sep 2023 00:37:11 +0000 https://www.kosli.com/blog/the-code-story-podcast-how-to-deliver-software-with-continuous-compliance-and-kosli/ How do you “keep the receipts” for your software process? Is it possible to automate change controls and deploy software with Continuous Compliance? Earlier this year, Mike appeared on the CodeStory podcast where he was interviewed by Noah Larbert. He explains how lessons learned as a DevOps consultant in regulated industries led to the realization that change management, risk controls and traceability were all part of a general governance problem that could be solved with automation. https://www.kosli.com/blog/kosli-changelog-september-2023/ Tue, 26 Sep 2023 09:22:19 +0000 https://www.kosli.com/blog/kosli-changelog-september-2023/ September kicked off with some very pleasant, and warm, late summer / early autumn sunshine, at least here in Northern Europe. But Autumn has now officially landed and it brings with it a few useful little Kosli extras that the team have been busy putting together for you. Manage your API Keys Kosli’s API is how your runtime environments and CI/CD pipelines report your environment snapshots, artifacts, and evidence to Kosli. https://www.kosli.com/blog/evaluating-backstage-1-why-backstage/ Fri, 08 Sep 2023 04:23:39 +0000 https://www.kosli.com/blog/evaluating-backstage-1-why-backstage/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. This article is the first part of the “Evaluating Backstage” series. It covers all the basics around developer portals, introduces Backstage development, and explores how it can help your organization be more efficient and secure. https://www.kosli.com/blog/evaluating-backstage-2-how-backstage-works/ Fri, 08 Sep 2023 03:59:49 +0000 https://www.kosli.com/blog/evaluating-backstage-2-how-backstage-works/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. At its core, Backstage excels at bringing together an array of diverse tools, services, and essential information, all under one roof. https://www.kosli.com/blog/evaluating-backstage-3-backstage-vs-competitors/ Fri, 08 Sep 2023 03:39:48 +0000 https://www.kosli.com/blog/evaluating-backstage-3-backstage-vs-competitors/ Note: This article is part of our Backstage guide series. You can find the complete guide here. Additionally, all articles of the complete Backstage guide are open sourced on GitHub and you can submit pull requests if you think the content needs to be updated. We maintain the information thanks to your feedback. Developer portals are no longer a novelty but a necessity for organizations that offer software services. The portals centralize and streamline the developer experience with essential tools, including API documentation, SDKs, sample code, and technical support. https://www.kosli.com/blog/how-to-track-and-enforce-snyk-scans-across-your-production-environments/ Fri, 01 Sep 2023 03:14:19 +0000 https://www.kosli.com/blog/how-to-track-and-enforce-snyk-scans-across-your-production-environments/ If you’re delivering software in a regulated environment, or deploying to a critical application or device, ensuring the security of your software code and dependencies is essential. One of the most popular tools for achieving this is Snyk, which gives developers the ability to find and fix vulnerabilities as part of their development workflow. Shifting left on security with Snyk is obviously great, but if you have to go through a security audit you also have to be able to prove that everything was Snyk scanned before it was deployed to production. https://www.kosli.com/blog/kosli-changelog-august-2023/ Tue, 29 Aug 2023 04:40:42 +0000 https://www.kosli.com/blog/kosli-changelog-august-2023/ Summer vacations are over. Which is fine, because it means it’s time for Autumn vacations 😀 And Autumn is the best time of the year to visit mountains - mosquitoes are gone and the colors get unbelievable! But worry not, even if some of us are away there is always someone in the tech team left, cooking delicious features and improvements for you. Let’s have a look at the ones that we’ve just delivered! https://www.kosli.com/blog/stay-on-top-of-every-change-with-kosli-notifications/ Tue, 08 Aug 2023 22:09:07 +0000 https://www.kosli.com/blog/stay-on-top-of-every-change-with-kosli-notifications/ In this short blog, you will learn how to set up Kosli Notifications so your whole team can stay on top of environment changes and compliance events in real time. 🚀 In fast-paced technology landscapes, understanding how systems are changing is crucial. Developers, DevOps/Platform/SRE teams, security personnel, and management all need this information to manage operational risk, resolve incidents, and just for basic communication with each other. The trouble is, navigating change across teams and systems can mean a lot of wasted time digging through pipeline logs and operations dashboards. https://www.kosli.com/blog/how-to-record-a-business-process-with-koslis-audit-trail/ Tue, 08 Aug 2023 15:47:56 +0000 https://www.kosli.com/blog/how-to-record-a-business-process-with-koslis-audit-trail/ Have you ever needed to provide proof that a critical business process actually took place? It’s a painful process involving all kinds of paperwork, but it’s the reality for many organizations working in highly regulated industries. For these companies, records need to be kept for actions like the provisioning of user accounts and access to sensitive records. It’s necessary, but it’s manual and time-consuming work. In response to requests from our customers to develop automation for these tasks in Kosli, we are pleased to announce our Audit Trail feature. https://www.kosli.com/blog/kosli-changelog-july-2023/ Mon, 31 Jul 2023 21:04:38 +0000 https://www.kosli.com/blog/kosli-changelog-july-2023/ Hello! Welcome to July’s edition of the Kosli Changelog. Ewelina is currently enjoying her summer vacation, so I’m here to share a couple of changes from the last few weeks, before I take my summer break. Jira Issue Commit Evidence We know many teams that use Jira to track and manage their work, and have policies that require all code changes to reference the related Jira issue. This practice provides traceability from changes to requirements. https://www.kosli.com/blog/new-kosli-feature-evidence-vault/ Thu, 13 Jul 2023 09:58:14 +0000 https://www.kosli.com/blog/new-kosli-feature-evidence-vault/ Preparing for a software audit can be a time-consuming and painful process where a lot of information needs to be gathered and verified in a provable audit trail. It means tracking down and piecing together evidence for pull requests, test reports, security scans, deployment logs, and more. This information is usually scattered across tools which are typically unsecured and unmanaged, so it can be easily deleted and/or modified. It’s hard to know if all the data has been retained, or if you can really trust it. https://www.kosli.com/blog/from-monitoring-to-action-get-faster-incident-response-with-change-forensics/ Mon, 03 Jul 2023 18:58:00 +0000 https://www.kosli.com/blog/from-monitoring-to-action-get-faster-incident-response-with-change-forensics/ In this post you’ll learn how Kosli’s Change Forensics gives DevOps, Platform, and Site Reliability Engineers the ability to rapidly pinpoint and understand changes and events in their infrastructure and applications, and get to the cause(s) of an incident quickly. You’ve got a production incident! You’re an engineer, quietly going about your day, editing YAML in between meetings to plan the next series for infrastructure migrations. Out of nowhere, your phone starts buzzing with notifications - Slack messages are flying in. https://www.kosli.com/blog/kosli-changelog-june-2023/ Fri, 30 Jun 2023 11:24:00 +0000 https://www.kosli.com/blog/kosli-changelog-june-2023/ Hello, and welcome to the June edition of the Changelog. It’s that time of the year when the days are long, the great outdoors are calling, and it’s not so easy to stay focused at work. But somehow we manage! And we have cooked up some delicious improvements for you. Let’s dig in! Lambda environment report It has been possible to report lambda type environments for a while - we started with a simple snapshot of a single lambda deployed as a zip archive. https://www.kosli.com/blog/know-whats-really-happening-in-your-ci-pipelines-with-kosli-flows/ Tue, 27 Jun 2023 12:00:55 +0000 https://www.kosli.com/blog/know-whats-really-happening-in-your-ci-pipelines-with-kosli-flows/ In an ideal world CI pipelines would never fail and deployments would be easy to navigate. The reality is that the journey from commit to production can fail in subtle ways that can be hard to understand. And this problem is multiplied by the number of pipelines in your system. Simple questions like “which of our 32 pipelines last deployed?”, “which pipelines don’t have Snyk scanning?” and “what should be running in production? https://www.kosli.com/blog/data-tampering-a-comprehensive-guide/ Thu, 15 Jun 2023 11:06:47 +0000 https://www.kosli.com/blog/data-tampering-a-comprehensive-guide/ In an increasingly interconnected and data-driven world, where information shapes decisions and fuels innovation, the integrity of data has become paramount. However, lurking beneath the surface is a silent threat that can undermine trust, compromise systems, and wreak havoc on organizations: data tampering. In this post, we delve into the realm of data tampering, exploring the vulnerabilities, the reasons behind data tampering practices, and countermeasures against them. Does your team struggle with software audits? https://www.kosli.com/blog/terraform-import-what-it-is-and-how-to-use-it/ Sun, 04 Jun 2023 12:33:46 +0000 https://www.kosli.com/blog/terraform-import-what-it-is-and-how-to-use-it/ In this post we’ll explore Terraform Import, a powerful command-line tool that allows you to bring existing infrastructure under Terraform management. We’ll cover what Terraform Import is, its common use cases, and how to use it effectively. Additionally, we’ll discuss some limitations you should be aware of when using Terraform Import. Whether new to Terraform or an experienced user, this guide will help you understand and leverage Terraform Import to manage your infrastructure better. https://www.kosli.com/blog/crlf-injection-explained-an-in-depth-guide/ Sun, 04 Jun 2023 12:21:24 +0000 https://www.kosli.com/blog/crlf-injection-explained-an-in-depth-guide/ In this in-depth guide we’ll explore CRLF injection, a web application security vulnerability that can have severe consequences. First, we’ll cover what CRLF injection is, the types of CRLF injection attacks, and their potential impacts. Additionally, we’ll discuss similarities with other attacks, payloads used in these exploits, and how to prevent CRLF injection. Finally, we’ll touch on the role of OWASP in addressing this security risk. By understanding and implementing the recommended practices, developers can build more secure applications and protect their users from the threats posed by CRLF injection. https://www.kosli.com/blog/kosli-changelog-may-2023/ Thu, 01 Jun 2023 12:25:05 +0000 https://www.kosli.com/blog/kosli-changelog-may-2023/ Hello, and welcome to the May edition of the changelog. I’ve been pretty busy this last month preparing my presentation for the NDC Oslo conference. So, I drifted away from the team for a bit, only to come back and learn about a really interesting feature they’ve been cooking! Let’s take a closer look. Deployment diff for artifacts Kosli now figures out whenever a new version of an artifact replaces an older one in your environments, and if you click on the “Deployment diff” button you’ll see the information about the previous version of the artifact. https://www.kosli.com/blog/the-swedbank-outage-shows-that-change-controls-dont-work/ Mon, 29 May 2023 17:56:59 +0000 https://www.kosli.com/blog/the-swedbank-outage-shows-that-change-controls-dont-work/ This week I’ve been reading through the recent judgment from the Swedish FSA on the Swedbank outage. If you’re unfamiliar with this story, Swedbank had a major outage in April 2022 that was caused by an unapproved change to their IT systems. It temporarily left nearly a million customers with incorrect balances, many of whom were unable to meet payments. After investigation, the regulator found that Swedbank had not followed their change management process and issued a SEK850M (~85M USD) fine. https://www.kosli.com/blog/the-dark-side-of-devsecops-mitigating-risk-beyond-the-supply-chain/ Mon, 29 May 2023 11:23:19 +0000 https://www.kosli.com/blog/the-dark-side-of-devsecops-mitigating-risk-beyond-the-supply-chain/ For today’s software organizations security has never been more top of mind. On one side there is the present and growing threat of being hacked by malicious actors, set out in Crowdstrike’s recent Global threat report. And, on the other, there is a wave of cybersecurity regulation from the government to mitigate such cybersecurity vulnerabilities. Software organizations feel the heat from both sides as they work to improve their security posture in ways that will also achieve audit and compliance with new rules. https://www.kosli.com/blog/authentication-failures-definition-consequences-and-prevention/ Sat, 20 May 2023 14:23:26 +0000 https://www.kosli.com/blog/authentication-failures-definition-consequences-and-prevention/ Authentication is the security process that verifies a user’s identity in order to grant access to their online account. It also functions as the gateway to your product. It’s a workflow you can’t compromise on without risking negative impacts on your users and your company. Fortunately, there are lots of authentication services that can do the heavy lifting for you. It’s important to understand what you can do in case of an authentication failure, when to do it, and why. https://www.kosli.com/blog/how-to-use-ansible-copy-module-an-in-depth-guide/ Sat, 20 May 2023 14:00:44 +0000 https://www.kosli.com/blog/how-to-use-ansible-copy-module-an-in-depth-guide/ In this post, we’re going to learn about the Ansible copy module. Before we look at the copy module specifically, let us first remind ourselves what Ansible is. You can install this open-source software on just one Linux machine. Then it can perform a lot of tasks on connected Linux machines without requiring Ansible installation on them. You can do tasks like copying files, fetching files, and a lot of other things all on connected machines, with a single command. https://www.kosli.com/blog/command-injection-a-guide-to-types-risks-and-prevention/ Fri, 12 May 2023 12:12:47 +0000 https://www.kosli.com/blog/command-injection-a-guide-to-types-risks-and-prevention/ Command injection is a kind of cyber attack that allows an attacker to execute arbitrary commands on a system. Attackers accomplish this by exploiting vulnerabilities in an application’s input validation process. How Command Injection Works Command injection attacks occur when an application passes unsafe user input to a system shell. In these instances, attackers can manipulate the input data to include additional commands, granting them unauthorized access to the underlying system. https://www.kosli.com/blog/what-is-broken-access-control-examples-and-prevention/ Tue, 02 May 2023 13:21:41 +0000 https://www.kosli.com/blog/what-is-broken-access-control-examples-and-prevention/ Access control is a security mechanism that regulates who has access to sensitive data, resources, and systems. It ensures that only authorized users can access sensitive data and activities while keeping unauthorized users out. Access control is critical for protecting sensitive data such as personally identifiable information (PII), financial information, and intellectual property. However, access control can fail due to a variety of factors, such as incorrectly configured policies, insufficient testing, and a lack of input validation. https://www.kosli.com/blog/docker-secrets-an-introductory-guide-with-examples/ Tue, 02 May 2023 12:43:05 +0000 https://www.kosli.com/blog/docker-secrets-an-introductory-guide-with-examples/ Securing sensitive data is crucial for any application, but managing this data can be complex and error-prone. Docker secrets provide a reliable and secure way to handle sensitive information like passwords, API keys, and certificates in your Docker environment. In this introductory guide, we’ll explore what Docker secrets are, how to use them with practical examples, and share some best practices to help you safeguard your sensitive data effectively. Additionally, we’ll touch upon Docker Swarm, managing secrets without Swarm, and using secrets with Docker Compose. https://www.kosli.com/blog/how-to-prove-your-sdlc-is-being-followed-for-compliance-with-medical-standards-like-iec-62304/ Fri, 28 Apr 2023 09:15:11 +0000 https://www.kosli.com/blog/how-to-prove-your-sdlc-is-being-followed-for-compliance-with-medical-standards-like-iec-62304/ If you’re part of a software engineering team in digital health, medtech, medical devices, Software as a Medical Device (SaMD), etc. you have to comply with regulatory standards. And one of the biggest challenges engineering leads have in this sector is figuring out what they have to do to achieve software delivery compliance. So, to cut right to the chase, if you are looking for an automated solution to prove that your SDLC is being followed, for a tool that will integrate with your stack and gather the documentation and evidence for your test results, unit tests, code reviews etc. https://www.kosli.com/blog/kosli-changelog-april-2023/ Fri, 28 Apr 2023 07:23:06 +0000 https://www.kosli.com/blog/kosli-changelog-april-2023/ Hello, and welcome to the April edition of the changelog. The weather is finally starting to stabilize and resembles one rather than all the seasons. Parks are full of colors and goslings, and at Kosli we’re as busy as ever, so let’s get right into it. Azure DevOps support We’ve barely released cli version 2.0.0* but improvements are flying in. One of them is support for Azure DevOps added in cli version 2. https://www.kosli.com/blog/kosli-a-flight-data-recorder-for-your-runtime-environments/ Wed, 26 Apr 2023 07:52:36 +0000 https://www.kosli.com/blog/kosli-a-flight-data-recorder-for-your-runtime-environments/ Have you ever had to debug an environment and found it hard to understand exactly what had changed? In the worst case scenarios you have to figure this out during high-pressure situations, like when an outage or regression has happened. Digging through platform logs and cloud consoles is a real nightmare, and it’s often futile because the information has disappeared. What’s worse, tracking what is happening in production back to individual repos, pipelines, and commits can be a long and frustrating process. https://www.kosli.com/blog/the-benefits-and-challenges-of-building-an-sbom/ Thu, 20 Apr 2023 07:32:09 +0000 https://www.kosli.com/blog/the-benefits-and-challenges-of-building-an-sbom/ The EO 14028 regarding supply chain security and the need to generate a Software Bill of Materials feels closer to more and more organizations. It might feel like a threat - and that’s a fair feeling. The whole topic of Billing of Materials is not new, but it is a relatively recent trend for software. According to Gartner: “by 2025, 60% of organizations procuring mission-critical software solutions will mandate SBOM disclosure in their license and support agreements, up from less than 5% in 2022. https://www.kosli.com/blog/what-is-an-sbom-and-do-you-really-need-it/ Thu, 20 Apr 2023 07:31:42 +0000 https://www.kosli.com/blog/what-is-an-sbom-and-do-you-really-need-it/ Your code base is growing more and more by the minute alongside the apps your business uses and develops. To give some context, the Linux Foundation Report estimated that “Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions”. This means that 70-90% of your final software possibly depends on OSS. How do you know what’s in them and most importantly how do you know that the softwares you’re using to build your application is safe, secure and vulnerable-free? https://www.kosli.com/blog/kosli-changelog-march-2023/ Wed, 19 Apr 2023 14:24:42 +0000 https://www.kosli.com/blog/kosli-changelog-march-2023/ Hello, and welcome to the March edition of the changelog. Spring is on her way, days are now longer than nights (at least in the northern hemisphere where me and my Kosli colleagues reside) and new Kosli features are popping up like snowdrops. We have the latest release of the CLI and a bunch of other stuff to share with you, so let’s get right into it. Cli version 2.0.0 released We’re not only building Kosli, we’re using it in our daily work and that made us realize there is room for improvement in our command syntax. https://www.kosli.com/blog/how-to-provision-your-aws-lambda-function-using-terraform/ Thu, 30 Mar 2023 14:32:33 +0000 https://www.kosli.com/blog/how-to-provision-your-aws-lambda-function-using-terraform/ AWS Lamdba is one of the most popular players in the serverless industry. It enables you to run serverless functions on the cloud, which gives you enhanced scalability and optimized costs. Instead of deploying on the traditional server model, you write your code in the form of functions that are packaged and deployed to be executed remotely via triggers such as HTTP calls (your usual web browser requests) or others like database updates or other events. https://www.kosli.com/blog/how-to-achieve-fedramp-compliance-with-continuous-monitoring-and-nist-800-137-and-nist-800-37/ Tue, 28 Mar 2023 10:40:04 +0000 https://www.kosli.com/blog/how-to-achieve-fedramp-compliance-with-continuous-monitoring-and-nist-800-137-and-nist-800-37/ One of the most common frustrations we hear from CTOs and CISOs is that it’s really hard for them to figure out what they’re supposed to do to achieve software delivery compliance for regulatory standards like FedRAMP. Google has lots of content offering high level guidance, but little to nothing on actual implementation steps for a secure life cycle, gathering evidence, storing proof, and preparing for audit. But regulated software companies who provide cloud services to the federal government need to prove that their software is delivered according to a life cycle process to comply with FedRAMP, and by extension aspects of the NIST cybersecurity framework. https://www.kosli.com/blog/how-to-use-the-aws-lambda-function-in-python/ Tue, 21 Mar 2023 08:18:59 +0000 https://www.kosli.com/blog/how-to-use-the-aws-lambda-function-in-python/ Amazon Web Services (AWS) Lambda and Python democratize access to code development by reducing the complexity involved when developing and deploying it. The serverless service, AWS Lambda, allows you to run code without provisioning or managing servers. This means you only need to upload the code (or develop it in its built-in code development tool), and AWS Lambda runs and scales it with high availability. On the other hand, Python is a dynamically typed and interpreted readability-oriented programming language that facilitates code development. https://www.kosli.com/blog/devsecops-the-broken-or-blurred-lines-of-defense/ Tue, 14 Mar 2023 17:00:10 +0000 https://www.kosli.com/blog/devsecops-the-broken-or-blurred-lines-of-defense/ With the modern patterns and practices of DevOps and DevSecOps it’s not clear who the front-line owners are anymore. Today, most organizations’ internal audit processes have lots of toil and low efficacy. This is something John has referred to in previous presentations as “Security and Compliance Theater.” In this talk, filmed at Exploring DevOps, Security, Audit compliance and Thriving in the Digital Age, John takes a deep dive into DevSecOps and what effective governance will look like as regulation and automation continue to have competing impacts on the way software is delivered. https://www.kosli.com/blog/how-to-create-and-manage-functions-in-lambda-with-aws-cli/ Fri, 10 Mar 2023 10:42:09 +0000 https://www.kosli.com/blog/how-to-create-and-manage-functions-in-lambda-with-aws-cli/ AWS Lambda has been a game changer for the serverless industry ever since its inception in 2014. It allows you to deploy serverless applications in NodeJS, Python, Java, Go, PowerShell, C#, and Ruby. It also offers a runtime API that allows you to leverage any other programming languages to build your apps. This makes it a popular choice for serverless development. There are two ways to interact with the AWS Lambda platform. https://www.kosli.com/blog/how-to-run-your-python-flask-server-inside-a-readonly-docker-container/ Tue, 07 Mar 2023 09:18:51 +0000 https://www.kosli.com/blog/how-to-run-your-python-flask-server-inside-a-readonly-docker-container/ In a previous blog we showed you how to strangle old code using Python decorators. This 5 minute blog post shows you how to run a Python Flask server in a readonly Docker container. The steps are implemented in the public tdd repo. docker-compose.yml The yaml to run a Flask server inside a read-only container is simple: services: xy_demo: ... read_only: true tmpfs: [ /tmp ] Python cache files When Python runs it creates . https://www.kosli.com/blog/kosli-changelog-february-2023/ Fri, 03 Mar 2023 08:23:12 +0000 https://www.kosli.com/blog/kosli-changelog-february-2023/ Hello, and welcome to this month’s edition of the change log. We have events filter for environments, commit evidence, GitLab support, and doc updates to share with you, so let’s get straight into it. Events filter in Environments We have added a filter to the environment “Log” view. You can choose which artifacts (based on Kosli pipeline) and which event type (started running, exited, changed) you want to see. And, as well as seeing the filtered list on the web page, you can also export it to . https://www.kosli.com/blog/how-to-strangle-old-code-using-python-decorators/ Fri, 24 Feb 2023 12:08:40 +0000 https://www.kosli.com/blog/how-to-strangle-old-code-using-python-decorators/ The Strangler Pattern is a pattern for safely and carefully retiring old code. The idea is simple - you run the old code and new code live, in production, side-by-side, checking that the new code behaves exactly the same as the old code. Once you are confident it does, you retire the old code. In a previous blog we showed you how to get Python test coverage faster without killing your server. https://www.kosli.com/blog/a-deep-dive-into-fmt-printf-in-golang/ Fri, 24 Feb 2023 12:03:49 +0000 https://www.kosli.com/blog/a-deep-dive-into-fmt-printf-in-golang/ Go is a simple but versatile programming language developed by Robert Griesemer at Google. It is one of the most sought-after programming languages and continues to grow in popularity. Critical to its adoption are Go’s core packages, which come bundled with the language. The fmt package in Go is a library that helps with formatted I/O (input/output) operations. It can assist with printing output, scanning output, and formatting text for use in your applications. https://www.kosli.com/blog/what-is-aws-lambda-an-introduction-and-guide-with-examples-1/ Fri, 24 Feb 2023 11:58:14 +0000 https://www.kosli.com/blog/what-is-aws-lambda-an-introduction-and-guide-with-examples-1/ Serverless computing enables you to build and run applications and services without the need to manage infrastructure. With serverless computing, you can focus on writing and deploying your code without worrying about setting up and maintaining servers. However, serverless does not mean that there are no servers involved in running your code. It just means that the servers, operating system, and the rest of the infrastructure is managed for you so you don’t have to worry about it. https://www.kosli.com/blog/how-to-publish-your-golang-binaries-with-goreleaser/ Wed, 15 Feb 2023 08:39:00 +0000 https://www.kosli.com/blog/how-to-publish-your-golang-binaries-with-goreleaser/ Building CLI applications and tools is a fairly easy task in Golang (Go), especially with libraries like Cobra that make getting started a breeze. Once you finish developing your application or tool, you may need to make it available for others to use, which means building your application for multiple operating systems with different system architectures and package management systems. Such a build process can be daunting and time consuming to manage. https://www.kosli.com/blog/docker-inspect-explained-the-essential-guide/ Mon, 13 Feb 2023 18:48:26 +0000 https://www.kosli.com/blog/docker-inspect-explained-the-essential-guide/ These days, it’s hard for a software engineer to go about their work without bumping into a Docker container. But when we bump into one that’s behaving oddly, how do we go about finding out more about it? That depends on the information we want and we can use the inspect command to get it. Inspect configuration—Find out about the base image, volume mounts, port mappings, etc. Use the Docker inspect command. https://www.kosli.com/blog/help-were-doing-iso27001-why-what-and-how/ Mon, 13 Feb 2023 10:43:39 +0000 https://www.kosli.com/blog/help-were-doing-iso27001-why-what-and-how/ At Stacc, Espen Thomassen Sæverud (CTO) & Øyvind Fanebust (Partner) have extensive experience in banking and finance with particular expertise in the area of Continuous Compliance. In this talk they will take you on a journey towards their ISO certification, discussing challenges and best approaches. The change management aspect of their ISO27001 certification gave them concerns about the potential impact on their existing automation. Would they be forced into an ITIL process? https://www.kosli.com/blog/regulations-v-devsecops-requiem/ Mon, 13 Feb 2023 09:54:34 +0000 https://www.kosli.com/blog/regulations-v-devsecops-requiem/ In this 15 minute lightning talk, Diptesh “Dips” Mishra, CTO for Shoal (a Standard Chartered Venture) talks about the governance challenges that financial services organizations face when they look to adopt DevSecOps. Dips has worked for Nationwide, Lloyds Banking Group, and RBS and he’ll share key strategies behind successful implementations. Transcript: Dips, if you could come up and take a glass of water, that’ll give us a chance to give you a clap. https://www.kosli.com/blog/inside-investments-unlimited-with-john-willis/ Mon, 13 Feb 2023 07:56:52 +0000 https://www.kosli.com/blog/inside-investments-unlimited-with-john-willis/ John Willis, Distinguished Researcher at Kosli, dives into Investments Unlimited - the latest novel from IT Revolution. It’s about an investment bank dealing with DevOps, DevSecOps, and IT Risk. John is co-author of this bestseller and he will share the story behind the book, how and why it was created, and the real life lessons it holds for all regulated software organizations. Filmed at Exploring DevOps, security, audit compliance, and thriving in the digital age in Oslo on December 8th 2022. https://www.kosli.com/blog/understanding-golang-command-line-arguments/ Wed, 08 Feb 2023 16:35:19 +0000 https://www.kosli.com/blog/understanding-golang-command-line-arguments/ Command line interface (CLI) tools are essential in the day-to-day life of developers. They allow you to get your desired result by simply sending a few text inputs, and they consume less resources compared to GUI, as there is no additional graphical interface used. It’s for these reasons that most dev tools have a CLI tool built. For example, you can use GitHub through either their GUI or the GitHub CLI. https://www.kosli.com/blog/kosli-changelog-january-2023/ Thu, 02 Feb 2023 09:11:29 +0000 https://www.kosli.com/blog/kosli-changelog-january-2023/ With the beginning of the year days are getting longer and the Kosli team is full of energy! So new features and fixes are flying in. There is a lot of work done with backend focus, so the app stays safe and stable, but there are also things that you may notice right away. Better error handling Have you ever been confused by error messages Kosli cli sends your way? I know I was. https://www.kosli.com/blog/knight-capital-a-story-about-devops-automated-governance/ Wed, 01 Feb 2023 09:30:06 +0000 https://www.kosli.com/blog/knight-capital-a-story-about-devops-automated-governance/ Knight Capital Group, Inc. was a global financial services firm that operated in the world’s premier market-making, electronic execution, and offered side platform. It was one of the leading market makers in the USA, with more than 1,800 registered representatives serving approximately 31,000 active retail brokerage accounts. In 2012 a software error at the company led to a catastrophic trading loss and a collapse in their stock price. And it could have been avoided. https://www.kosli.com/blog/what-is-an-sbom-a-history-of-the-software-bill-of-material/ Mon, 30 Jan 2023 07:41:37 +0000 https://www.kosli.com/blog/what-is-an-sbom-a-history-of-the-software-bill-of-material/ Many people are talking about the software bill of materials, but few know about SBOM origins. I find it essential to understand the genesis of ideas, so let’s talk about the beginning of the SBOM. First, we need to define the software bill of materials. What is an SBOM? Let’s read how others define an SBOM. What is an SBOM? A “Software Bill of Materials” (SBOM) is a nested inventory for software, a list of ingredients that make up software components. https://www.kosli.com/blog/how-to-use-kubernetes-namespaces-a-guide-with-examples/ Thu, 26 Jan 2023 12:20:39 +0000 https://www.kosli.com/blog/how-to-use-kubernetes-namespaces-a-guide-with-examples/ Kubernetes namespaces logically isolate groups of related objects inside a cluster. You can use them to distinguish among objects belonging to different deployments, teams, and organizations. Namespace-level controls let you set resource limits and access control rules that span all the namespace’s objects, providing a consistent management experience. In this article you’ll learn how namespaces work, when to create a new one, and what best practices to follow. It also covers practical techniques for interacting with namespaces using kubectl. https://www.kosli.com/blog/the-software-supply-chain-and-secondary-artifacts/ Thu, 26 Jan 2023 08:51:11 +0000 https://www.kosli.com/blog/the-software-supply-chain-and-secondary-artifacts/ It’s standard practice for software companies to use existing software components as building blocks for their new products. But what happens when those building blocks contain vulnerabilities that can be exploited by malicious actors? Recent cybersecurity breaches like the one at Solar Winds have attracted the attention of regulators, and that means software organiztions are going to have to get serious about governance and risk. The problem with building new software out of existing software In today’s world, building new software usually starts with exisiting software components someone else has written. https://www.kosli.com/blog/the-misunderstood-troll-a-story-about-collaboration-communication-and-visibility-in-a-regulated-software-organization/ Tue, 24 Jan 2023 13:14:01 +0000 https://www.kosli.com/blog/the-misunderstood-troll-a-story-about-collaboration-communication-and-visibility-in-a-regulated-software-organization/ In this talk Alex Kantor, Director of Technology at Modulr, will show you how they used Kosli to enable their developers to release directly to production in a financially regulated environment - while staying in compliance with their change management obligations. A new spin on a classic format, Alex tells a story about how collaboration, communication, and visibility helped a misunderstood Troll to empower a nation. The talk was filmed at Exploring DevOps, security, audit compliance, and thriving in the digital age in Oslo, Dec 8th 2022. https://www.kosli.com/blog/how-to-configure-cli-tools-in-standard-formats-with-viper-in-golang/ Thu, 19 Jan 2023 13:26:39 +0000 https://www.kosli.com/blog/how-to-configure-cli-tools-in-standard-formats-with-viper-in-golang/ Over the past few years, the DevOps and CloudOps sectors have seen a rise in tools that focus on improving certain operations of teams within the industry. There seems to be a tool for almost any action you could think of, ranging from containerization tools to systems benchmarking, monitoring, and reporting tools. However, it’s become common for organizations to build their own command line (CLI) tools and programs, as the tools currently available may introduce unnecessary overhead or lack certain critical options. https://www.kosli.com/blog/getting-python-integration-test-coverage-without-killing-your-gunicorn-server/ Wed, 18 Jan 2023 08:26:10 +0000 https://www.kosli.com/blog/getting-python-integration-test-coverage-without-killing-your-gunicorn-server/ Getting system test coverage from a Python web server is not straightforward. If you search the internet all the hits describe killing the server (eg gunicorn) to get the coverage exit handlers to run. When you run your server from a docker container this means the next test run is forced to bring up a new container. This slowed our test cycle which we didn’t like, so we found a faster way. https://www.kosli.com/blog/how-to-securely-create-edit-and-update-your-kubernetes-secrets/ Fri, 06 Jan 2023 16:36:55 +0000 https://www.kosli.com/blog/how-to-securely-create-edit-and-update-your-kubernetes-secrets/ Secrets centrally store confidential data such as passwords, API keys, and certificates inside your Kubernetes cluster. You can inject secrets into your pods as environment variables or files in a mounted volume. The mechanism lets applications securely access sensitive values, without the risk of accidental exposure that plain ConfigMaps create. This article will show you how to use secrets and then explain some of their weaknesses. You’ll be able to build safer applications by combining secrets with a properly hardened Kubernetes cluster. https://www.kosli.com/blog/understanding-your-kubernetes-deployment-lifecyclea-guide-with-examples-1/ Tue, 03 Jan 2023 10:33:38 +0000 https://www.kosli.com/blog/understanding-your-kubernetes-deployment-lifecyclea-guide-with-examples-1/ Kubernetes today is the foremost container orchestration platform in the cloud-native ecosystem. It’s an open source system with rich features backed by a large and growing community. Its self-healing qualities is one of its most prominent qualities. Functionally, this is made possible by the Kubernetes controllers, of which the deployment controller is one of the most widely used. The deployment controller runs an infinite watch loop to ensure that the current state matches the desired state for deployment objects running in the cluster. https://www.kosli.com/blog/kosli-changelog-december-2022/ Mon, 19 Dec 2022 13:02:03 +0000 https://www.kosli.com/blog/kosli-changelog-december-2022/ End of the year is just around the corner and many of us will leave for a holiday break soon. So this time you hear from us long before the month is over. Nothing to worry about! So much is happening we have more than enough to share. Export environment report Inspired by a request from one of our users we’ve decided to spend some time on the “environment filtering report” feature. https://www.kosli.com/blog/looking-back-on-2022-kosli-wrap-up/ Thu, 15 Dec 2022 16:53:06 +0000 https://www.kosli.com/blog/looking-back-on-2022-kosli-wrap-up/ When you work in a startup, it’s easy to get so focussed on the day to day tasks and it can feel like nothing is really changing. It’s only when you take a step back that you can see the bigger picture and realize just how far you’ve come and what you have accomplished. When I look back over the last 12 months I can see how far we’ve come and know we have a lot of things to celebrate at Kosli. https://www.kosli.com/blog/10-books-you-need-to-read-if-youre-building-a-developer-tool-company/ Thu, 15 Dec 2022 14:21:12 +0000 https://www.kosli.com/blog/10-books-you-need-to-read-if-youre-building-a-developer-tool-company/ If you’re building developer tools in a startup, you’re always inundated by the items on your plate and the decisions you need to make. However, despite this growing mountain of tasks, one important characteristic of a successful CEO is to have a holistic view of the whole business, from product development and business growth to marketing strategies and sales activities. Additionally, when you’re at the head of a team, it is important to pay attention to the company culture, be empathetic and show good leadership. https://www.kosli.com/blog/why-i-joined-kosli-a-story-about-devops-and-modern-governance/ Tue, 13 Dec 2022 18:35:29 +0000 https://www.kosli.com/blog/why-i-joined-kosli-a-story-about-devops-and-modern-governance/ Maybe I’m crazy, but I’ve just joined my 12th startup at the age of 63. Kosli is the product I’ve been looking for since I started talking about this idea five years ago, but until recently I couldn’t find anyone who wanted to build it. That all changed when I ran into the Kosli founders at DevOpsDays DC back in September 2022. As I join Kosli, I’m reminded of when I joined Chef in 2010 just as the infrastructure of the code era was starting. https://www.kosli.com/blog/understanding-kubernetes-events-a-guide/ Wed, 07 Dec 2022 09:45:47 +0000 https://www.kosli.com/blog/understanding-kubernetes-events-a-guide/ Kubernetes events document the changes that occur inside your cluster. Viewing stored events can explain problems and help you resolve failures. An event is generated automatically each time there’s a significant change to an object. They’ll fire when there’s new deployments, successful jobs, memory pressure on a node, or any other activity that’s meaningful to cluster administrators. Regularly reviewing events is a good starting point when assessing your cluster’s health and performance. https://www.kosli.com/blog/kosli-changelog-november-2022/ Tue, 06 Dec 2022 12:54:20 +0000 https://www.kosli.com/blog/kosli-changelog-november-2022/ A lot is happening at Kosli headquarters and satellite offices (or homes! How sweet working for a remote first company can be). In this post we’d like to share some of the latest additions that happened in November. The command I was waiting for Kosli already offers a lot of features and commands. Depending on the type of issues you’re usually dealing with - sw development, infrastructure, quality - you may have found your favorite or most useful feature is different from what your colleagues would choose. https://www.kosli.com/blog/did-i-break-prod--part-2-introducing-the-kosli-search-command/ Fri, 02 Dec 2022 12:29:11 +0000 https://www.kosli.com/blog/did-i-break-prod--part-2-introducing-the-kosli-search-command/ A few months ago, I shared the Eureka moment! I had when I realized how much easier (and less stressful) my earlier career as a developer would have been if I’d had Kosli. Tl;dr - I thought I’d broken critical functionality of our SW with effects seen nationwide and was understandably stressed about it. Was it my change that broke it? I had no idea. But if I’d had Kosli I could’ve just gone to app. https://www.kosli.com/blog/kosli-announces-innovation-partnership-with-dnb-and-firi/ Wed, 23 Nov 2022 11:53:08 +0000 https://www.kosli.com/blog/kosli-announces-innovation-partnership-with-dnb-and-firi/ We are pleased to announce that Innovasjon Norge has awarded Kosli an innovation grant of 3.4 million NOK to pursue a R&D project with DNB and Firi. In this blog we’ll give you an overview of the problems we’ll be working on and the solutions we intend to build together. First, a word on our innovation partners, who we are delighted to be working with on this project. DNB DNB is Norway’s largest financial group. https://www.kosli.com/blog/the-ultimate-guide-to-git-blame-a-how-to-with-examples/ Tue, 22 Nov 2022 12:47:04 +0000 https://www.kosli.com/blog/the-ultimate-guide-to-git-blame-a-how-to-with-examples/ Source control tools give users many powers and one of the big ones is traceability. With traceability tools you can know exactly who made each change and when they made it. In Git, you use the git blame command for this. Despite its negative-sounding name, it is a crucial command for you to know. In this post, we’ll give you the ultimate guide on git blame. Among other things, you’ll learn the following: https://www.kosli.com/blog/git-blame-in-vs-code-the-4-best-options/ Wed, 16 Nov 2022 20:06:58 +0000 https://www.kosli.com/blog/git-blame-in-vs-code-the-4-best-options/ Most production projects have a team collaborating on them, so even in a single file there can be multiple contributors. When things go wrong, it’s useful to understand how and why certain changes were made to the code and by whom. This can be easily done with the powerful git blame command in VS Code. You can use it to identify who authored each line of code in any given file. https://www.kosli.com/blog/whats-going-on-at-kosli-1/ Fri, 04 Nov 2022 08:15:08 +0000 https://www.kosli.com/blog/whats-going-on-at-kosli-1/ Wednesday November 2nd was a massive day in our journey at Kosli, in so many ways. I thought I’d write a short note to tie all the announcements into a more cohesive picture: We are making our technology available for everyone by launching our free tier. Now you can record, connect and search all of your devops, no credit card, no traps. As part of bringing our tech to a wider community, we can announce our $3. https://www.kosli.com/blog/kosli-the-missing-piece-in-your-monitoring-stack-is-now-freely-available/ Tue, 01 Nov 2022 08:39:59 +0000 https://www.kosli.com/blog/kosli-the-missing-piece-in-your-monitoring-stack-is-now-freely-available/ Does any big software organization really know what’s happening in their software delivery processes? After 10 years of DevOps and automation we ship more changes than ever before. And we’re only going to ship more next year, and the year after that. High volumes of change bring new challenges. On a day to day level it’s a pain for developers to find anything. Where’s my code? What broke my environment? For CTOs and managers compliance becomes a nightmare. https://www.kosli.com/blog/how-to-define-your-software-process-using-the-devopsctl-framework/ Fri, 28 Oct 2022 09:00:55 +0000 https://www.kosli.com/blog/how-to-define-your-software-process-using-the-devopsctl-framework/ Something I’ve learned over the last 10 years of helping organizations with DevOps is that teams frequently struggle to define a software development process. You’ll find a lot of content on Google around refining your process, ensuring compliance in your process, making your process more secure, etc. But there’s not so much advice on actually defining one. What I’ve heard from teams is that they don’t really know what their process should look like in the first instance. https://www.kosli.com/blog/docker-tags-demystified-a-guide-with-examples/ Mon, 17 Oct 2022 19:43:44 +0000 https://www.kosli.com/blog/docker-tags-demystified-a-guide-with-examples/ The main principle behind Docker and containerization isn’t too difficult to grasp. You put your software and its dependencies inside a “package” and distribute it. Whoever has this package will be able to run the application, and it’s all but guaranteed to behave as expected. However, actually learning how to work with Docker can feel a little overwhelming. There are countless commands and each of them has many options. This post aims to make your Docker journey easier by taking a deep dive into the docker tag command. https://www.kosli.com/blog/does-the-gitops-emperor-have-no-clothes/ Mon, 17 Oct 2022 10:01:00 +0000 https://www.kosli.com/blog/does-the-gitops-emperor-have-no-clothes/ A hot take 🔥🔥 from a kind place. Before I start throwing sparks around I want to make clear that I think there’s lots of benefits to capturing everything as code in git. Static definitions, recipes and specs for how we make our software are useful in all kinds of ways. 🌈 However, those definitions don’t help us to understand our dynamic environment and that’s my essential problem with GitOps. Lots of claims are made for GitOps - it offers better security, historical records, and a solution to drift and reconciliation. https://www.kosli.com/blog/devops-compliance-authority-dca-investigating-the-devops-enterprise-summit-in-las-vegas/ Fri, 14 Oct 2022 10:59:29 +0000 https://www.kosli.com/blog/devops-compliance-authority-dca-investigating-the-devops-enterprise-summit-in-las-vegas/ Kosli has been tipped off that at this year’s DevOps Enterprise Summit in Las Vegas (Oct 18-20) the DevOps Compliance Agency (DCA) will be in attendance to review and monitor conference activities. Field Agents will be on-site to sniff out any non-compliant DevOps processes and put them on the right path! What to look out for! The men in blue, Agent Long and Agent Logan, will be on the ground to assist in any matters that relate to your software compliance automation. https://www.kosli.com/blog/using-git-diff-to-compare-tags-a-guide-with-examples/ Thu, 13 Oct 2022 18:53:46 +0000 https://www.kosli.com/blog/using-git-diff-to-compare-tags-a-guide-with-examples/ In Git, you can use the git diff command for comparisons. This command is very powerful and flexible, and it covers a lot of ground, but today we’ll be narrowing the scope down to the “git diff tags” use case. In this post you’ll learn how to compare two tags in Git. We’ll cover some fundamentals about both the git diff command and tags, so don’t worry if you’re not familiar with these terms. https://www.kosli.com/blog/investments-unlimited-a-novel-about-devops-security-audit-compliance-and-thriving-in-the-digital-age/ Wed, 05 Oct 2022 11:40:10 +0000 https://www.kosli.com/blog/investments-unlimited-a-novel-about-devops-security-audit-compliance-and-thriving-in-the-digital-age/ “You know, it may feel like regulators are out to get us, but they’re really there to help us and help protect our customers.” If you’re into DevOps there’s a pretty good chance at least one book from IT Revolution sits on your shelf. Headed up by Gene Kim, IT Revolution has been publishing instant classics on DevOps culture and practices like The DevOps Handbook, Accelerate (which I absolutely love) and Team Topologies for several years. https://www.kosli.com/blog/git-grep-like-a-pro-the-complete-guide/ Tue, 27 Sep 2022 19:34:14 +0000 https://www.kosli.com/blog/git-grep-like-a-pro-the-complete-guide/ How do you search for a given string inside many different files? If you’re familiar with the command line, you have the answer on the tip of your tongue: grep. You may know that there is a Git-specialized version of grep called the git grep command. This post is going to teach you about this command. You’ll learn what it is, how it differs from the regular grep, and how to use it in various situations. https://www.kosli.com/blog/docker-commit-explained-a-guide-with-examples/ Sun, 25 Sep 2022 17:36:05 +0000 https://www.kosli.com/blog/docker-commit-explained-a-guide-with-examples/ Docker is a popular set of tools for creating and running applications in containers. Developing an application to run in a container means isolating the application from the underlying system/environment so that the application can be run in any environment. The environment will be injected into the application at runtime. Docker provides a powerful command-line interface (CLI) to work with containers. In this article, we’ll take a look at the commit command in particular and how we can use it to create a new image from a container. https://www.kosli.com/blog/docker-build-a-detailed-guide-with-examples/ Fri, 23 Sep 2022 12:25:37 +0000 https://www.kosli.com/blog/docker-build-a-detailed-guide-with-examples/ One of the many ways Docker makes your life easier is that there are a bunch of development tools you no longer need to install on your machine. Instead, you can rely on images. But if you plan on using Docker for deploying your apps, then you’ll also need to create your own images. When that’s the case, the docker build command is what you need. This post is all about the docker build command, what it’s for, and how to use it. https://www.kosli.com/blog/git-and-the-benefits-and-challenges-of-everything-as-code-1/ Thu, 25 Aug 2022 08:07:58 +0000 https://www.kosli.com/blog/git-and-the-benefits-and-challenges-of-everything-as-code-1/ Git has been a central part of the DevOps story. Our continuous integration systems run builds, produce artifacts, execute tests, and ultimately deploy systems defined as code in our git repositories. More recently, GitOps has extended the reach of git towards a better understanding of our kubernetes workloads. But does that come with hidden challenges? In this post I’ll take a look at the benefits of everything-as-code before considering some of the gaps that remain in how we describe and understand our process. https://www.kosli.com/blog/tracking-changes-for-your-amazon-s3-or-lambda-functions-with-kosli/ Wed, 10 Aug 2022 12:45:18 +0000 https://www.kosli.com/blog/tracking-changes-for-your-amazon-s3-or-lambda-functions-with-kosli/ The benefits of serverless software architecture include faster and more fine grained changes to your software without worrying about managing hardware resources. This increase in change volume can be hard to track when there are multiple functions, pipelines and teams working in parallel. In this article we will explain and show how to automatically track and navigate DevOps changes to your serverless lambda and S3 deployments with Kosli. We will go through examples on how to: https://www.kosli.com/blog/did-i-break-prod--the-day-i-realized-kosli-wouldve-known-the-answer/ Wed, 03 Aug 2022 10:54:56 +0000 https://www.kosli.com/blog/did-i-break-prod--the-day-i-realized-kosli-wouldve-known-the-answer/ If you had the chance to read my first blogpost for Kosli, describing my first week at the company, you’ll know I wasn’t exactly a Kosli expert when I started. At the beginning I spent most of my time trying to figure out what Kosli is for and why anyone would use it. This isn’t because Kosli is especially complicated. It’s because I lacked experience developing software for heavily regulated industries. https://www.kosli.com/blog/why-developers-need-a-devops-database/ Fri, 17 Jun 2022 00:00:00 +0000 https://www.kosli.com/blog/why-developers-need-a-devops-database/ Can you imagine developing software without version control? What if I told you that we were doing exactly the same thing with DevOps? In this article I’ll explain why developers need a database for DevOps, and make the case that it should have similar semantics to a version control system. Can you imagine life without version control? Life without software version control would really suck. We’d lose all the history of the changes made to our software. https://www.kosli.com/blog/merkely-is-now-kosli/ Thu, 16 Jun 2022 22:00:00 +0000 https://www.kosli.com/blog/merkely-is-now-kosli/ Merkely is now Kosli! Hello! We would like to announce that we have renamed and rebranded as Kosli. A lot has happened over the last six months and it’s time for a new sign above the door and a fresh lick of paint. When we created Merkely we were looking to automate change management compliance for regulated DevOps teams. The platform we built works like a flight data recorder that allows anyone to track, prove, and query exactly how their systems are changing. https://www.kosli.com/blog/how-can-i-do-continuous-delivery-in-my-itil-framework/ Sun, 17 Apr 2022 23:00:00 +0000 https://www.kosli.com/blog/how-can-i-do-continuous-delivery-in-my-itil-framework/ Key takeaways ITIL change management framework doesn’t work for frequent software releases That’s a problem because regulated teams want continuous delivery By automating change management they can release software as standard changes Introduction There are quite a lot of articles out there on this topic, usually trying to score for SEO, that promise to show you how to do this without actually ever getting there. But it can be done and in this piece I will explain how. https://www.kosli.com/blog/continuous-compliance-a-devops-culture/ Tue, 05 Apr 2022 23:00:00 +0000 https://www.kosli.com/blog/continuous-compliance-a-devops-culture/ Imagine your developers are the world’s fastest relay team 🏃 When it comes to build, test, and qualify they get round the running track faster than anyone else. Unfortunately for them the finishing line is hidden somewhere outside the stadium. Welcome to regulated DevOps How did they get to be running this impossible race? Well, better tools and working practices have meant a dramatic shift from annual software releases to a world where teams have the ability to deploy multiple times every day. https://www.kosli.com/blog/why-itil-change-management-doesn-t-work-for-devops/ Wed, 23 Mar 2022 00:00:00 +0000 https://www.kosli.com/blog/why-itil-change-management-doesn-t-work-for-devops/ Are you trying to do DevOps under regulation? If so, you’ll know the pain of change management. In this article we’ll look at how delivering software with DevOps is incompatible with old school ways of managing change with ITIL and how you can automate your change management process with a DevOps approach. As regulated industries speed up their DevOps processes they find that managing software releases with ITIL tickets and change meetings just doesn’t scale. https://www.kosli.com/blog/visma-tech-talk-with-kosli-s-mike-long-devops-the-beginning-of-infinity/ Thu, 17 Mar 2022 00:00:00 +0000 https://www.kosli.com/blog/visma-tech-talk-with-kosli-s-mike-long-devops-the-beginning-of-infinity/ In this video Mike speaks to Tinuis Alexander Lystad from Visma about his latest talk, DevOps: The Beginning of Infinity. Inspired by David Deutsch, Mike explores the concept of infinite knowledge creation and how it relates to the future of DevOps. We won’t give away too many spoilers here, so check out the full video if you want to know more. If you want to know more about Mike you can find his profile here. https://www.kosli.com/blog/how-are-docker-digests-calculated-and-are-they-mutable/ Wed, 09 Mar 2022 00:00:00 +0000 https://www.kosli.com/blog/how-are-docker-digests-calculated-and-are-they-mutable/ To ensure binary provenance in your software development process you must, among other things, have confidence that the artifact doesn’t change. If you use a code review and test result as an assurance that it’s a valid and reliable artifact, the binary or Docker image you’ve reviewed and tested should be the same one you deploy later. Applying the SHA-256 algorithm One way to solve this is to give your artifact a unique, immutable signature - something that will not change unless the artifact itself changes. https://www.kosli.com/blog/how-kosli-automates-change-management-for-kubernetes-workloads/ Wed, 23 Feb 2022 00:00:00 +0000 https://www.kosli.com/blog/how-kosli-automates-change-management-for-kubernetes-workloads/ If you’re delivering software in a regulated space, and you’re using Kubernetes, you’ll know how problematic change management is. On one hand you have a highly dynamic container based system that’s constantly changing. On the other hand regulatory obligations mean you must have a controlled and documented way of managing all of the changes in those systems. And that’s not all. Knowing exactly what’s running in production at any given time is difficult enough, but it’s only half the battle. https://www.kosli.com/blog/my-experience-of-working-remotely-with-our-customers/ Thu, 17 Feb 2022 00:00:00 +0000 https://www.kosli.com/blog/my-experience-of-working-remotely-with-our-customers/ In my previous blog post I described the onboarding experience at Kosli and how I got started with my colleagues in a remote-first company. This time I’d like to take this topic further and talk about working remotely with customers. Making the transition to remote working Before I joined Kosli I spent almost 5 years working as a consultant. At the beginning, when I got my first customer, the idea of working remotely didn’t really cross my mind. https://www.kosli.com/blog/5-reasons-why-your-ci-system-is-a-terrible-compliance-system-of-record/ Wed, 09 Feb 2022 00:00:00 +0000 https://www.kosli.com/blog/5-reasons-why-your-ci-system-is-a-terrible-compliance-system-of-record/ “Why can’t we use our CI system for our Compliance System of Record (CSoR)?” This is a question we get asked a lot when we’re talking about compliance with regulated DevOps teams. And it’s a perfectly reasonable question to ask. If Jenkins, GitLab, GitHub, or CircleCI is the engine for your DevOps it will contain a lot of information relevant to maintaining a CSoR. However, your CI system shouldn’t form the basis for your CSoR and in this article we’ll give you 5 reasons why. https://www.kosli.com/blog/how-to-design-a-devops-compliance-system-of-record/ Tue, 01 Feb 2022 23:00:00 +0000 https://www.kosli.com/blog/how-to-design-a-devops-compliance-system-of-record/ If you deliver software in a regulated industry you have to be able to show that you are following a defined process. And that means being able to produce a record of what’s going on in your DevOps workflows. When we have conversations about DevOps compliance with regulated software teams this topic frequently comes up. And what these teams require is best described by Carl Nygard as a Compliance System of Record (CSoR). https://www.kosli.com/blog/how-to-avoid-the-devops-lite-trap-with-devops-change-management/ Tue, 25 Jan 2022 00:00:00 +0000 https://www.kosli.com/blog/how-to-avoid-the-devops-lite-trap-with-devops-change-management/ DevOps is being adopted across regulated industries, but old ITIL approaches to change management still create unnecessary lead times and risks. Fortunately, you don’t have to fall into the DevOps Lite trap with 20th century change management. Not when DevOps provides all the compliance automation you’ll ever need. 🙌 Technology organizations are moving away from large, monolithic, centrally managed IT systems towards a future with small, loosely coupled and rapidly updated micro-systems. https://www.kosli.com/blog/how-to-secure-your-software-supply-chain-with-artifact-binary-provenance/ Thu, 13 Jan 2022 08:00:00 +0000 https://www.kosli.com/blog/how-to-secure-your-software-supply-chain-with-artifact-binary-provenance/ In Kosli, we use Artifact Binary Provenance as the foundation for our audit trails. Artifact Binary Provenance is a fancy term, but the idea behind it is really quite simple. All it means is that we can identify the software we have running in production. Let’s take a closer look 👀 How should we identify software? There’s lots of ways to identify software. In our industry we’ve tried different approaches to version-numbers like semantic versioning and release names. https://www.kosli.com/blog/kosli-2021-making-friends-with-change/ Tue, 21 Dec 2021 07:00:00 +0000 https://www.kosli.com/blog/kosli-2021-making-friends-with-change/ A lot can happen in a year, and 2021 was no different. We want to help everyone make friends with change and in 2021 we made a few changes ourselves. Hit play on Eye of the Tiger 🐅 and roll the montage…. 1 name change Kosli hasn’t always been Kosli. In the beginning we were still called ComplianceDB, the original name chosen by Mike and James when they started the company in 2019. https://www.kosli.com/blog/8-reasons-why-we-do-ensemble-programming/ Tue, 14 Dec 2021 06:00:09 +0000 https://www.kosli.com/blog/8-reasons-why-we-do-ensemble-programming/ At Kosli we do as much of our work as possible in a group setting, especially (but not limited to) programming. In our experience most tech teams don’t do this and we think they’re missing out on all kinds of advantages that come from working as an ensemble. In this post we’ll share why we do ensemble work, what our experience has been, and why we think you should give it a go. https://www.kosli.com/blog/my-first-week-at-kosli/ Wed, 08 Dec 2021 00:00:00 +0000 https://www.kosli.com/blog/my-first-week-at-kosli/ At the beginning of November I started at Kosli. It’s not my first job - I have plenty of experience when it comes to starting afresh. In my time as a consultant it felt like I was starting a new job every time I had a new customer. So, although change is always a challenge, I thought I knew what was coming my way. However, this time there was something I didn’t take into consideration - the experience would be fully remote. https://www.kosli.com/blog/it-s-2021-why-does-change-management-still-suck/ Thu, 02 Dec 2021 00:00:00 +0000 https://www.kosli.com/blog/it-s-2021-why-does-change-management-still-suck/ There’s an excellent management paper from 2001 called Nobody Ever Gets Credit for Fixing Problems that Never Happened. In it, the researchers looked into how companies create and sustain process improvement. Even though the focus is on Total Quality Management (TQM) and manufacturing processes, the paper contains a ton of useful models for software development organizations. It also helps to explain why the current state of change management still sucks. As the authors pointed out…. https://www.kosli.com/blog/what-does-it-mean-to-deliver-software-with-continuous-compliance/ Wed, 08 Sep 2021 23:00:00 +0000 https://www.kosli.com/blog/what-does-it-mean-to-deliver-software-with-continuous-compliance/ In this short video, Mike Long, our Co-founder and CEO, explains how teams delivering software in regulated industries can achieve CI/CD using CC = Continuous Compliance. If you deliver software in a regulated environment you’ll be familiar with change management processes. And, if you practice DevOps, you’ll know that conventional approaches to managing change create a bottleneck at the end of your development cycle. This is because change management is implemented as a manual gate just before the release process. https://www.kosli.com/blog/the-jan-bosch-interview-the-future-for-technology-companies/ Thu, 15 Jul 2021 23:00:00 +0000 https://www.kosli.com/blog/the-jan-bosch-interview-the-future-for-technology-companies/ A few days ago you posted a video from the Software Center about doing continuous testing in regulated, safety critical environments. And it immediately attracted a bunch of objections from people in the comments. Do you remember? Yes, I remember. I think I responded by asking something like “do you have any evidence that testing everything infrequently, and manually, and only at the end of a project is any better than doing fast, automatic, continuous testing? https://www.kosli.com/blog/10-outdated-beliefs-about-software/ Tue, 29 Jun 2021 23:00:00 +0000 https://www.kosli.com/blog/10-outdated-beliefs-about-software/ The world of software remains a fascinating place and I keep being amazed at how rapidly it continues to evolve and transform. We certainly have come a long from the early 1980s when I was a teenager programming BASIC on my ZX81. Especially for those of us who have been in the field for decades, it’s critical to continuously reinvent ourselves and our beliefs about the domain to make sure we don’t get stuck in the old ways. https://www.kosli.com/blog/the-jan-bosch-interview-software-innovation-in-embedded-and-regulated-systems/ Thu, 24 Jun 2021 23:00:00 +0000 https://www.kosli.com/blog/the-jan-bosch-interview-software-innovation-in-embedded-and-regulated-systems/ All of the research into DevOps tells us that it is the most efficient way to deliver software. But, what does DevOps look like in places where you have the extra friction that comes with embedded systems and regulation? Typically, software innovation starts in the cloud, moves to the embedded systems world, and then to the IT world. This may be surprising for some people, but the embedded world is usually ahead of the IT world because, despite the challenges you mention, in the embedded world you’re building products for customers. https://www.kosli.com/blog/jan-bosch-interview-industry-and-academia/ Thu, 17 Jun 2021 23:00:00 +0000 https://www.kosli.com/blog/jan-bosch-interview-industry-and-academia/ A few weeks ago Jan Bosch joined Kosli as an investor and advisor. Shortly after his arrival I interviewed him about a range of software related topics. Our conversation will form the basis for a series of features which we will be posting over the coming weeks. Today, in part one, we talk about his work in academia and his unique approach to collaboration with industry through Software Center. Hi Jan, I’d like to start by asking about your roles in academia and industry. https://www.kosli.com/blog/answering-the-biggest-question-in-regulated-devops-what-s-in-prod/ Mon, 07 Jun 2021 23:00:00 +0000 https://www.kosli.com/blog/answering-the-biggest-question-in-regulated-devops-what-s-in-prod/ Imagine you’re a Fintech CTO 🤓 with several teams and tens of microservices. Do you know what’s currently running in prod? How about yesterday? A week ago? Last month? And if you do know what’s in prod, do you also know how it got there? 🤔 Getting answers to these questions isn’t straightforward, but for teams in regulated industries it’s essential. You have to know what has changed, when it changed, and who changed it. https://www.kosli.com/blog/devops-and-the-future-of-change-management/ Wed, 26 May 2021 23:00:00 +0000 https://www.kosli.com/blog/devops-and-the-future-of-change-management/ Here’s your chance to catch up on the talk @meekrosoft gave at BCS EDN where he discussed the change management challenges associated with practising DevOps in regulated industries. In sectors like fintech ITIL gets in the way of your DevOps, gumming up the works with ticketing systems and change meetings. But what if you could release compliant software every day without all of that extra lead time? DevOps has transformed the way you deliver software and deploying multiple times per day, even on a Friday, is now normal practice. https://www.kosli.com/blog/is-faster-actually-safer-how-software-physics-beats-human-psychology/ Wed, 28 Apr 2021 23:00:00 +0000 https://www.kosli.com/blog/is-faster-actually-safer-how-software-physics-beats-human-psychology/ Sometimes doom-scrolling through Twitter has its rewards. A few weeks ago, in between the Ever Given🚢 memes (how we miss the big boat!) and the usual screams😱 into the void, I came across this tweet from Charity Majors (@mipsytipsy), CTO at @honeycombio That’s it. That’s the Tweet. These are such great analogies. Unless we’re running away from imminent danger🦁, humans have a really hard time processing that faster is safer. Usually, when we feel threatened or uncertain, we slow down, take our time and look at our options. https://www.kosli.com/blog/what-the-fca-found-when-analysing-1-million-production-changes/ Wed, 24 Mar 2021 00:00:00 +0000 https://www.kosli.com/blog/what-the-fca-found-when-analysing-1-million-production-changes/ A recent FCA report shows that the financial services industry needs to reimagine its approach to change management. By analyzing data from over 1 million production changes, they found out what works and what doesn’t work in the land of regulated change. Let’s dig in…🕵️‍♀️ On the 5th of February the Financial Conduct Authority (FCA) published its Implementing Technology Change report. It focuses on the way financial firms manage technology changes and the impact of failures. https://www.kosli.com/blog/how-to-release-compliant-software-on-demand/ Tue, 09 Mar 2021 00:00:00 +0000 https://www.kosli.com/blog/how-to-release-compliant-software-on-demand/ In this blog we’ll explain how to automate the change and release compliance in a Secure Software Development Lifecycle. Kosli is a new technology that enables teams in regulated industries, like fintech, to release compliant software on demand. Software in regulated industries The modern world runs on financial transactions, air traffic control, insulin pumps, and car braking systems. When technology becomes critical to our lives and our economies there is increased demand from customers and regulatory bodies to control associated risks. https://www.kosli.com/blog/how-to-ensure-software-provenance-just-like-google/ Tue, 23 Feb 2021 23:00:00 +0000 https://www.kosli.com/blog/how-to-ensure-software-provenance-just-like-google/ Google has always been a leader when it comes to security culture and their approach to managing a secure development lifecycle is no exception. This article introduces Google’s Binary Authorization for Borg (BAB), and will show you how you can implement the same binary authorization system to ensure that production software and configuration deployed in your organization is properly reviewed and authorized. What is Binary Authorization for Borg (BAB)? As with any security-centered culture, Google understands that insider risk represents a significant threat to the security of user data, and that the only way to ensure compliance is by employing a zero-trust model. https://www.kosli.com/blog/continuous-compliance-with-a-devops-compliance-journal/ Mon, 22 Feb 2021 23:00:00 +0000 https://www.kosli.com/blog/continuous-compliance-with-a-devops-compliance-journal/ In this article we introduce new technology that allows you to automate the change and release compliance in a Secure Software Development Lifecycle. It’s called Kosli, the DevOps Change Management tool for teams in regulated industries. Delivering software in regulated industries First, let’s look at the problem we’re solving. The modern world depends on financial transactions, air traffic control, insulin pumps and car braking systems. When technology becomes critical to our lives and our economies there is increased demand from customers and regulatory bodies to control these risks. https://www.kosli.com/blog/building-a-fintech-with-devops-dna/ Mon, 22 Feb 2021 00:00:00 +0000 https://www.kosli.com/blog/building-a-fintech-with-devops-dna/ Moving at DevOps speed isn’t straightforward in regulated industries. Change management processes force your development teams to delay valuable release candidates. But, what if you could automate the change management process to make every release a business decision instead of an administrative one? This is one of the ways ZTL Payment Solution (ZTL) is gaining a competitive advantage over their competitors in the B2B payments sector. And they’re using Kosli to do it. https://www.kosli.com/blog/using-git-for-a-compliance-audit-trail/ Fri, 06 Nov 2020 00:00:00 +0000 https://www.kosli.com/blog/using-git-for-a-compliance-audit-trail/ Kosli is a DevOps change management platform for storing a record of compliance controls. It helps financial institutions, medical device manufacturers, automotive and other mission-critical development teams to prove conformance to their software process. A key concept in Kosli is the immutable, append-only journal which provides a tamper proof audit trail. This blog explains how we came to design the durable storage technology in Kosli. Persisting Compliance Data As a tool for recording software process data automatically, Kosli works by providing a REST API to DevOps pipelines.