October 11, 2012

5 Key Questions for Auditing and Compliance - Why was a Change Made?

Git at Scale

copyright paths(Fourth post in a five-part series on auditing and compliance)

Now that we've covered the what, who, and when, it's time to focus on a more interesting question: why was a change made?

This question is vital for auditing, compliance, and full ALM traceability. It's also a key component of a release engineer's sanity. Let's look at these areas quickly, then drill down and see how Perforce and Git Fusion can help you effectively answer this question.

Anyone who works in an industry subject to ISO regulations, government or defense regulation, HIPAA, or Sarbanes-Oxley is already intimately familiar with having to justify any change to important code or data. When I was programming in the defense industry, every commit had to reference a defect number, upon pain of a long conversation with the Change Control Board. The process of linking changes to causes may be more or less manual, but it has to be well understood and documented.

On the ALM front, being able to see the cause of a change is vital for rapid QA and deployment procedures. Seeing a list of changes, described at a higher level than commit comments, will help the DevOps team understand what's happening on the production systems as well.

Perforce has a simple but powerful way to show the relationship between a commit and a bug, defect, or requirement. Perforce jobs are often used as a link to an external system like HP ALM, Jira, or Bugzilla. By using jobs you get three key advantages:

Simple and Reliable Link Between Commits and Tasks

Jobs make it easy for a developer to link a commit to one or more tasks. Working directly in Perforce, a developer can pick from a list of available tasks when committing changes. From the Git Fusion side, developers will soon be able to reference a job in a commit comment without any extra tools or scripts.

git fusion jobfix

Quickly see How a Task was Addressed

You can quickly ask Perforce how a particular bug was fixed.

git fusion changes

If you're using a supported defect tracking integration, you can also see this information from the external system.

git fusion jira fix

See What Tasks are Driving Changes in Code

You can also ask Perforce what tasks are driving changes in a particular file or codeline.

git fusion jobs code

Putting It All Together

Perforce's job system, soon exposed through Git Fusion, makes it easy to provide full transparency about how your code relates to bugs, tasks, and requirements, and vice-versa. And since Perforce is a good home for supporting material like requirements documents, you can track everything that was changed to address a task, not just source code.

A simple and reliable answer to the question "Why is my code changing?" is part of a solid framework for auditing and compliance. When distributed Git repositories are part of your environment, it's even more important to make sure that you can track and enforce the existence of commit-task links. Since Perforce can easily enforce the existence of a job link when a commit is made, Git Fusion serves as a fail-safe valve to make sure that each commit is always linked to a task record.

Read Part 3 of the series: What Changes Were Made to Your IP?

To learn more about IP security and the America Invents act in read IP Security: Covering Your Bases in a Global Development Environment.