Bringing auditors to a DevOps World

Key requirements for effectively implementing Automated Governance

The paradigm shift towards Secure DevOps is beginning to help many IT organizations assist in optimizing for both speed of delivery and security of their products. With this newfound agility, teams can provide value to the business as well as the consumer with less risk. However, as we have discussed in our last blog detailing the potential benefits for DevOps Automated Governance, Security and Engineering teams are continuing to enhance and improve CI/CD pipelines with new security tooling, but Technology Risk and Internal Audit teams sometimes struggle to keep pace and help ensure compliance with incompatible controls.

The compliance processes developers are typically asked to adhere to may be perceived as unnecessary hurdles that add complexity to already time-sensitive assignments. When security requirements end up being dictated by Compliance teams and are dissociated from good security posture, development practices start shifting away from the goal of reducing risk towards focusing on passing the next audit in a form of “security theater”.

If we are able to connect the mindset of Secure DevOps and “shift-left” with the application of Automated Governance practices, we can streamline compliance processes within organizations without compromising on the protection of software from external threats. This is one of the first opportunities that allows teams from the often siloed CISO (Chief Information Security Officer), CIO (Chief Information Officer), and IA (Internal Audit) organizations to work together towards a unified vision of continuous security by design.

  Requirement Why?
1. Telemetry from various sources of security information across the software development lifecycle (SDLC) are collected into a single data repository. One of the most natural places to start is in the CI/CD pipeline, including but not limited to static code scans (SAST), secrets scanning, software composition analysis and SBOM generation. Later other data can be captured from external origins such as source code management platforms like GitHub. Parties from the CIO, CISO, and Internal Audit teams can see the same “sheet of music” of what controls are exercised and how well application teams are performing in near real time.
2 That data repository where the telemetry is captured is tamper-proof because hashes are computed and stored for telemetry events; any changes to the data would result in a new hash value that doesn’t match the original.

Leaders can have a trustworthy record of the security events that took place.

3 The software build process is halted (“breaking the build”) in real time when our agreed upon security requirements are not met. We prevent software from making it to production that don’t meet our standards for quality.

The key to achieving this confluence of ideas begins with automating attestation or the evidence that a software artifact has passed a defined control. While some organizations have traditionally felt comfortable with the reliability of manually performing and reviewing attestation, this often unreliable and generally painstaking task is no longer sufficient to mitigate the risk of a security breach and does not scale. Our primary stakeholder teams must begin adopting automation in this process to help ensure that compliance and security requirements are consistently implemented throughout the CI/CD pipeline. If these controls can be built into the development environment by leveraging existing application security tooling, compliance can be achieved with minimal friction for Engineering teams.

To begin the journey towards Automated Governance, teams should consider the following short-term and long-term activities:


  •  Identify the risks in the current development process that you would like to mitigate
  •  Review your existing CI/CD pipeline for opportunities to introduce automated control testing and attestation
  •  Collaborate with Technology Risk and Internal Audit teams to align on expectations


  •  Build or leverage an existing approach for capturing machine-generated and digitally signed attestations in an immutable repository
  •  Evaluate your inventory of controls and prioritize them for implementation
  •  Include the controls leveraged inside of your pipeline and automatically generated attestations in the SBOMs (Software Bill of Materials) of your applications
  •  Implement gates at all points of the CI/CD pipeline that that can break the delivery process if an exception to the associated control is identified

Contact us

Charles A. Jacco

Charles A. Jacco

Principal, Cyber Security, KPMG US

+1 212-954-1949
Jackie Mak

Jackie Mak

Sr Associate Advisory, Cyber Security Services, KPMG US

+1 832-931-8642
Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011