null
February 6, 2019

Version Control and Audits: What You Need To Know

Security & Compliance
Version Control

In the software development world, the largest companies have well-established frameworks for governance. Their security policies are designed to steer an organization to success. Focus on priorities and policies helps organizations meet business and IT needs, and mitigate risk.

Audits examine how an organization meets pre-defined requirements. These requirements can vary greatly from one company or institution to the next. As a result, governance and compliance depend on an organization’s risk management needs.

In public companies, and those working in regulated industries, compliance standards for audits are often determined by laws and regulations. Well-known examples include:

  • Sarbanes-Oxley (SOX)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • General Data Protection Regulation (GDPR)
  • ISO 26262

Each of these has requirements that are designed to ensure you are protecting your company’s data and customer information.

In this blog, we are going to focus on how to meet compliance and prepare for audits. We will review some auditor questions and discuss how to answer them using server logs. These logs can highlight how developers’ use your version control systems (VCS). We aren’t going to do a deep dive into compliance with any of the specific laws and regulations mentioned above.

Your VCS security policy should contain clear, comprehensive, and well-defined plans, rules, and practices that regulate access to your systems and the data in them. It may also incorporate rules required by the aforementioned laws, depending on which of them apply to you.

Not sure where to start in your VCS? Learn more about how to set up your version control system for IT governance. 

Preparing Your VCS for an Audit

Depending on the needs of your organization, an audit can be extensive and involve combing through detailed development records. That’s where your version control system comes in. There are six basic questions you should be ready to address:

  • What is your documented security policy?
  • Do your employees actually know your security policy?
  • How do you protect your data?
  • How are access permissions granted throughout your organization?
  • What is your HA/DR plan?
  • What is your plan in the case of a VCS breach?

What Is Your Documented Security Policy?

Most larger companies have documented security policies. These policies exist to prevent disasters that could impact your bottom line. But it's not surprising for development teams to not be exposed to such policies. And this puts your valuable IP at risk.  

Your version control policy should be a subset of your overarching security policy. It should rope in developers and their use of the VCS and other systems. To evaluate the reliability of your policy, auditors will want to compare your documentation with established internal processes. Ideally, these would match. If not, auditors will raise concerns. Depending on your business, and the cost to implement, your policies may need to change to ensure compliance.

Do Your Employees Actually Know Your Security Policy?

Auditing is about more than the technical aspects of security (as discussed in the previous blog) and documentation. Auditors will also be interested in how employees are actually following your policies. Look at the training you are providing and how updates to your security policy are communicated across your development organization.

It’s also important to look at how serious your company is about security policies. For example, many companies conduct regular trainings to explain personally identifiable information (PII) and how to protect it.

Often, training isn’t specific to a developer’s role and doesn't include actionable insights. It’s important to provide specific, relevant training to developers to raise their security consciousness and help them care about security.

How Do You Protect Your Data?

Many information security policies focus on protecting sensitive data, such as PII. Although PII isn’t usually not stored in a VCS, it’s common to have configuration data stored in the VCS, especially in the age of Infrastructure as Code (IaC). This makes it critically important to control and monitor access. Developing a layered security model helps secure information from multiple angles.

How are Access Permissions Granted Throughout Your Organization?

Auditors are going to look at who has access, to what, and why. Not controlling access permissions appropriately is a common, and potentially a devastating, security risk in development organizations. The goal is to prove that permissions are assigned in accordance with your security policy, and that they are effective.

A critical part of securing your VCS is controlling access to code that, for example, could provide access to customer databases. That’s why it is important to granularly permission systems and implement layered security. Following this policy should help you detect when there is an intruder, or when an internal employee is abusing their power (e.g., admins accessing user data).

What Is Your HA/DR Plan?

Depending on your business and the type of audit, you may need to evaluate your high availability/data recovery (HA/DR) plan as it affects business continuity. There is a reason we do fire drills. It ensures that in an emergency, people know what to do and where to go. In a company where revenue (and the company’s success) depends on the source code or hardware designs for your products, the VCS must be included.

This is why auditors are likely to examine compliance with a business continuity plan by evaluating your HA/DR plan. Questions may include:

  • If a server fails, do you have a failover readily available?
  • What systems are in place to restore from a backup?
  • When was the last time your backups were tested?

What Is Your Plan in Case of a VCS Breach?

If there is a security incidentlike a developer’s laptop or credentials are stolen you want to make sure that you can minimize the damage and potential negative consequences. To prepare for this plan, start by asking yourself:

  • Which employees/roles are responsible for security in the case of emergency?
  • If there is a breach, how should they react?
  • Who should they contact?
  • What code and/or data is on their laptop?
  • What systems and data should we start securing first?

If you are using Git, it’s common for an entire project’s code base to be stored locally on a developer’s laptop. In our previous blogwe talked about ways to mitigate this.

Configuring Server Logs to Address Audit Requirements

Once everything is as secure as possible, the best way to proactively monitor on a day-to-day basis is to leverage VCS server logs. This also helps address auditors’ questions.

In many VCS systems, the logs don’t have all the information you need, and some make it complicated to retrieve the data in usable form. If you can get the data, the key is to retain data for long enough to satisfy compliance needs. This can be difficult for a variety of reasons, not the least of which is the amount of data generated when there is a high volume of VCS transactions.

Server Log Rotation

In Helix Core, it is relatively easy to set up logs to capture information you need to satisfy audits. It’s also easy to establish regular rotation of logs to make it easier to organize and retain the data, even when there is a high volume of transactions due to automation. Best practice for rotating your logs varies depending on the size and needs of your organization, but it is often done daily.

Rehearsing for an Audit

Preparing for an audit is like having a backup. If it is not tested, it does not exist. Helix Core allows you to reduce your complexity, streamline processes for users, and relieves your admins. It offers a better way to meet governance and compliance to satisfy audits across your product development organization. It preserves the change and access histories, with audit trails for files, users, and releases across your organization.

In Helix Core, there are several ways to go about producing the information needed to help satisfy an audit. Here are some basic steps:

  1. Set group membership and p4 protects to make it simpler for admins to manage access controls.
  2. Use Helix Core to record all commands executed by users and their access to all file contents. This is important for both IP protection as well as potential audit requirements.
  3. Review structured or unstructured server logs.

Many Helix Core admins also use tools like Splunk, or the open source ELK stack, to more easily analyze Helix Core server logs, including real-time dashboards.

Perforce Helps You Prepare

Look at an audit as a chance to improve your compliance and strengthen your security. Audits should be done on a regular basis to check in on your data and policies. And when it comes to version control, Helix Core has your back. It allows you to better understand your development environment, and be able to communicate it to an auditor.

If you are interested in ways to streamline compliance and reporting across your development lifecycle, investigate Helix ALM. Perforce also helps you ensure safe, secure, and reliable code by enforcing coding standards with Helix QAC.