Three Essential Steps for Building the Bridge Between Software Development and IT Compliance

Meeting IT Compliance mandates is an immediate goal faced by most organizations. Through the use of ALM tools, IT organizations can manage software requirements, track source code changes and monitor software deployment.

Regardless of these tools, the process is not perfect because it is missing a critical component of the software development lifecycle: the application build.

The application build process is the final piece of the IT compliance puzzle, and it is complicated by ad hoc build scripts written in Make or Ant/XML. Ad hoc build scripts are the most common methods used to manage application builds, yet they don’t meet the four essential requirements of IT governance standards:

traceability

auditability

validation

separation of workflow duties

How can your organization meet the four essential requirements of IT governance standards in the application build process? With three very essential steps:

1) Implement a Build Configuration Management System
Similar to Source Code Configuration Management, Build Configuration Management allows you to track, trace and manage the details about the build. Using reusable build workflow technology, details about build configurations can be managed.

Configuration details include:
What compile and link flags were used to build the deployable object
The restriction of debug flags used in production builds
The location and version of the compiler and linker used in the build

These subtle configuration changes can cause drastic differences in build results, and must be tracked, managed and controlled.

2) Keep Source Code Enforcement Securely Implemented
Once you have secured your source code in an SCM tool, it is critical to ensure that – when the build occurs – it is actually using the source code managed by your SCM tool.

With manually-scripted build solutions:

References to the source code may not be pointing to the SCM repository or even local build directory where the SCM source code was checked out
It can be extremely difficult to determine where the source code actually came from when the compile executed

Solve these problems with a Build Management Solution that allows you to enforce the “approved” versions of the SCM-managed source code.

You can further enforce your system with a Build Management tool that allows you to centralize the use of SOA and J2EE objects so that all developers are using standard versions of these critical, reusable objects.

3) Manage Dependency Mining and Orchestration
Managing dependencies is the most critical process a Build Management Solution can provide. Dependency orchestration provides a complete audit trail showing what source code and versions were used to create the final deployable objects.

Dependencies can be difficult to trace and often impossible to understand with manual scripts. Find a Build Management Solution that will ensure that when the build executes, a dependency scanning tool watches exactly what is called and used by the compilers and linkers.

You will gain the ability to perform accurate incremental builds, review Dependency Impact Analyses, and create Footprints and Build Audit Reports that confirm matching source to executables every time, based on the actual compile.

There is no higher level of IT compliance that can be met.

Without these three basic steps you cannot accurately manage builds to a standard required by audits today. Scripting languages attempt to address these three pillars, but struggle because they rely on hard coding methods.


Author: Tracy Ragan