Today, it’s widely accepted that every business is a software business, which means that every large enterprise that builds, buys, or runs software— from leading retailers, to financial service providers, to insurance companies, and more—must be concerned with the integrity of its software assets. Software asset integrity is everyone’s responsibility: from C-level executives to product owners, release managers, auditors, and DevOps team members. All stakeholders need visibility into planning, design, build, test, release, and monitoring processes, so they can prove that the software running in their environments is truly what it claims to be: it’s the right version, it contains the code it should, it uses secure and approved libraries, and it hasn’t been compromised by a virus or malware.
Software asset integrity is heavily influenced by aspects of software quality such as:
- Traceability—Is every software artifact stamped with a unique identifier that can be verified as the artifact moves through environments?
- Performance—Does the software perform as it should? Can you detect whether performance is degrading over time?
- Horizontal scalability—Can you increase capacity on the fly by adding physical servers, virtual machines, container instances, or pods?
- Security—Is the software protected from data breaches and other security violations? Can you detect if and when security is compromised?
Software asset integrity is inexorably linked to the credibility of your corporate brand because the consequences of operating low-integrity software are severe. Compromised applications can lead to lost business income, operational shutdown, and breach of contract. Data storage that is not properly secured is vulnerable to breaches that expose sensitive information. Some government regulations, such as the United States’ Sarbanes-Oxley Act, can even carry the penalty of prison time for organizational leaders.
Not Securing Your Software Can Be Expensive
Consumers worldwide share a growing concern about how their personal data is secured. Organizations must prioritize compliance with government regulations designed to protect individuals and prevent fraud. Recent high-profile fines for compliance violations include:
- $575 million for exposing 147 million people’s personal information
- $230 million for exposing 500,000 customers’ credit card data
- $148 million for failing to disclose a breach of 57 million user accounts
Organizational leaders and DevOps teams struggle to identify and mitigate risks that endanger the integrity of their software assets, because the work required to do so is time-consuming, largely manual, and prone to errors. Executives, VPs, and directors don’t have the visibility to be sure that security and compliance needs are being met. Product owners and DevOps team leads must figure out how to satisfy audit and compliance requirements that threaten to slow down their teams. Software engineers spend time collecting raw data from technical tools and delivering it for audit reports instead of building value-adding features. And security, audit, and compliance groups are stuck going back and forth between teams, trying to get the information they need.
Enterprises Need a Software Chain of Custody
The concept of a chain of custody originated in the legal world, where it describes the way a piece of evidence for a legal case is handled, transferred, stored, and analyzed. Today, many industries have adopted the concept to describe the way that processes, and the people who are involved in them, should be tracked and documented. For example, in logistics, the chain of custody represents the path that a product takes from the start of the supply chain to the point where the consumer can buy it. In food production, the chain of custody represents the path that a food product takes from raw ingredients to the final package on the grocery store shelf.
The chain of custody concept can also be applied to software assets in your organization. Just as a chain of custody ensures the integrity of a product or a piece of evidence, the Software Chain of Custody proves what happened, when it happened, where it happened, and who made it happen during the software delivery process— from the time you set business goals and plan features, all the way through development, testing, deployment, and monitoring of live software in production.
A Software Chain of Custody that tracks and documents every step of the software delivery process proves the integrity of your software assets.
Tune in next week where you’ll learn how to build your Software Chain of Custody.