Preparing for a software audit can be a time-consuming and painful process where a lot of information needs to be gathered and verified in a provable audit trail.
It means tracking down and piecing together evidence for pull requests, test reports, security scans, deployment logs, and more.
This information is usually scattered across tools which are typically unsecured and unmanaged, so it can be easily deleted and/or modified. It’s hard to know if all the data has been retained, or if you can really trust it.
It’s also impossible to second guess what the auditor will ask for. Even if you’ve done everything according to your process, actually proving it can involve days or weeks of painful digging in your tools and logs.
Software audits are still a frustrating and manual process in a world where nearly everything else is automated. We’ve decided to change that with Evidence Vault.
Introducing Evidence Vault
With Kosli, it has always been possible to record attestations in your pipelines about all the processes and controls across all your tools and environments.
With Evidence Vault we are extending our attestation engine to enable you to upload corroborating evidence as files and store them in our immutable and tamper-evident store.
This means that all of the proof you will ever need for an audit is stored safely, securely, cannot be tampered with without you knowing, and is never more than a couple of clicks away.
So, to recap, before you were able to attest in your pipeline that e.g. a unit test had been performed. Now, you will be able to upload and add a link to the actual unit test result files.
This frees you from having to find a secure place to store these files, and it makes it super easy to find them later.
Any evidence that is supplied against your artifact (or even against the commit that produced your artifact) will be connected as attachments to the attestations.
You can still provide external links to canonical sources, but now you always know you have the full proof you need when it comes to audit time.
Even better, we record the cryptographic fingerprint of the evidence into our ledger, so your audit, security and compliance stakeholders can be sure that any evidence you provide has not been tampered with.
Give Great Answers to Audit Questions
With Evidence Vault you have the receipts, together with the corroborating evidence and a manifest of SHAs, proving all flow attestations and evidence.
This means you’re ready to give a Great Answer to any question an auditor might have when they dig into your changes.