Features
Binary Provenance, SBOMs and the Software Supply Chain for Humans
“What’s really running in prod?” Every engineer will hear these immortal words on a long enough timeline (or career). It might be because a new security zero day was dropped, alerts fired from the depths of a vast microservice architecture, or you might just be looking to know what commit was actually tested. Either way, it often comes with the promise of a stressful day. Let’s demystify three critical concepts for delivering secure, reliable software: binary provenance, software bills of materials (SBOMs) and the software supply chain.
SDEM: Your fastpass to the production superhighway
With software delivery, speed is everything. But how do you balance rapid delivery with quality, security, and compliance? To answer this question, let’s embark on a journey - one that starts in …
Just the facts" 🔏 🗒️ Introducing Software Delivery Evidence Management (SDEM)
The DevOps Detective: “Just the facts” Picture a gruff-voiced sergeant from the classic TV series “Dragnet,” but instead of solving crimes, they are navigating the complex …
From lean manufacturing to DevOps: The software factory revolution
In our journey through the evolution of compliance in the DevOps era, we’ve seen the limitations of traditional compliance methods and the high stakes of compliance failures. Manual processes, …
The high stakes of SDLC compliance: Lessons from EVE Online's battle of B-R5RB and Equifax
n our previous exploration of The Punchcard Paradigm, we traced the roots of modern compliance practices back to the early days of computing. We saw how the physical constraints of punchcards shaped …
The punchcard paradigm: Tracing the roots of modern compliance
In the early days of computing, creating software was a physical act, more akin to factory work than the streamlined digital process we know today. Programmers meticulously transcribed logic onto …
Why we’ve open sourced our secure SDLC process template
One of the big things we’ve learned since starting Kosli is that engineers often struggle to define an SDLC for compliance purposes. That doesn’t mean they don’t know how to deliver secure, …
How to achieve SOC 2 Type 2 in 90 days with Drata and Kosli
Every software purchasing decision has a security impact, and with information security threats on the rise, companies are increasingly concerned about third party vendor risks. That’s why for …
Maintaining Security with DevOps Compliance
DevOps teams play an increasingly important role in all types of software companies. From legacy organizations to cloud-native startups, the DORA metrics tell us that the performance of the DevOps …
How to build DevOps automations with Kosli Actions
Kosli allows regulated organizations to scale their continuous delivery so that they can deploy changes to production at maximum speed without the risk of non-compliance. It does this by recording all …
DevOps Change Management Resources
The DevOps Change Management Content Hub is a set of resources for modern software teams who struggle to align their DevOps automation with their change management requirements. In our experience, …
Continuous Compliance Content Hub
The Continuous Compliance content hub is a set of guides for DevOps teams who need to move fast while remaining in compliance for audit and security purposes. We know that the old change management …
The Three Ways of DevOps Governance
In this blog post, I take a look at modern IT governance by applying the classic “Three Ways” of DevOps principles originally introduced by Gene Kim in his seminal 2012 article. “We assert that the …
How to Detect Unauthorized Changes in Production with Kosli
Let’s not beat around the bush: change management is a prehistoric discipline desperately in need of fresh thinking. Its “best practices” are frankly terrible. Nobody honestly thinks manually filling …
The DevOps Security and Compliance Guide
The fast-paced nature of modern software development means developers are capable of deploying changes to production multiple times a day. But, while DevOps allows development teams to deliver new …
What Is Continuous Security Monitoring Software?
Many DevOps teams work proactively to meet security and compliance standards. They consider security best practices when developing software with open source components, scanning code for …
The Code Story podcast - how to deliver software with Continuous Compliance and Kosli
How do you “keep the receipts” for your software process? Is it possible to automate change controls and deploy software with Continuous Compliance? Earlier this year, Mike appeared on the CodeStory …
How to Track and Enforce Snyk Scans Across Your Production Environments
If you’re delivering software in a regulated environment, or deploying to a critical application or device, ensuring the security of your software code and dependencies is essential. One of the most …
Stay on top of every change with Kosli Notifications
In this short blog, you will learn how to set up Kosli Notifications so your whole team can stay on top of environment changes and compliance events in real time. 🚀 In fast-paced technology …
How to record a business process with Kosli’s Audit Trail
Have you ever needed to provide proof that a critical business process actually took place? It’s a painful process involving all kinds of paperwork, but it’s the reality for many organizations working …
From Monitoring to Action - Get Faster Incident Response with Change Forensics 🕵️♀️
In this post you’ll learn how Kosli’s Change Forensics gives DevOps, Platform, and Site Reliability Engineers the ability to rapidly pinpoint and understand changes and events in their infrastructure …
How to record events in your CI pipelines with Kosli Flows
In an ideal world CI pipelines would never fail and deployments would be easy to navigate. The reality is that the journey from commit to production can fail in subtle ways that can be hard to …
This $80m Banking Incident shows that Change Controls don't work
This week I’ve been reading through the recent judgment from the Swedish FSA on the Swedbank outage. If you’re unfamiliar with this story, Swedbank had a major outage in April 2022 that was caused by …
The Dark Side of DevSecOps and the case for Governance Engineering
For today’s software organizations security has never been more top of mind. On one side there is the present and growing threat of being hacked by malicious actors, set out in Crowdstrike’s recent …
How to prove your SDLC is being followed for compliance with medical standards like IEC 62304
If you’re part of a software engineering team in digital health, medtech, medical devices, Software as a Medical Device (SaMD), etc. you have to comply with regulatory standards. And one of the …
Kosli - A Flight Data Recorder for your Runtime Environments
Have you ever had to debug an environment and found it hard to understand exactly what had changed? In the worst case scenarios you have to figure this out during high-pressure situations, like when …
DevSecOps: The Broken or Blurred Lines of Defense
With the modern patterns and practices of DevOps and DevSecOps it’s not clear who the front-line owners are anymore. Today, most organizations’ internal audit processes have lots of toil and low …
Help, we’re doing ISO27001! Why, what, and how?
At Stacc, Espen Thomassen Sæverud (CTO) & Øyvind Fanebust (Partner) have extensive experience in banking and finance with particular expertise in the area of Continuous Compliance. In this talk …
Regulations v DevSecOps: Requiem
In this 15 minute lightning talk, Diptesh “Dips” Mishra, CTO for Shoal (a Standard Chartered Venture) talks about the governance challenges that financial services organizations face when they look to …
Inside Investments Unlimited with John Willis
John Willis, Distinguished Researcher at Kosli, dives into Investments Unlimited - the latest novel from IT Revolution. It’s about an investment bank dealing with DevOps, DevSecOps, and IT Risk. John …
Knight Capital - A story about DevOps Automated Governance
Knight Capital Group, Inc. was a global financial services firm that operated in the world’s premier market-making, electronic execution, and offered side platform. It was one of the leading …
A short history of the software bill of materials (SBOM)
Many people are talking about the software bill of materials, but few know about SBOM origins. I find it essential to understand the genesis of ideas, so let’s talk about the beginning of the SBOM. …
Cybersecurity regulation and the software supply chain
It’s standard practice for software companies to use existing software components as building blocks for their new products. But what happens when those building blocks contain vulnerabilities …
The Misunderstood Troll - A story about collaboration, communication and visibility in a regulated software organizations
In this talk Alex Kantor, Director of Technology at Modulr, will show you how they used Kosli to enable their developers to release directly to production in a financially regulated environment - …
Why I joined Kosli - a story about DevOps and modern governance
Maybe I’m crazy, but I’ve just joined my 12th startup at the age of 63. Kosli is the product I’ve been looking for since I started talking about this idea five years ago, but until recently I …
Does the GitOps emperor have no clothes?
A hot take 🔥🔥 from a kind place. Before I start throwing sparks around I want to make clear that I think there’s lots of benefits to capturing everything as code in git. Static definitions, recipes …
Review: Investments Unlimited - A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age
“You know, it may feel like regulators are out to get us, but they’re really there to help us and help protect our customers.” If you’re into DevOps there’s a pretty good chance at least one book from …
Why developers need a DevOps database
Can you imagine developing software without version control? What if I told you that we were doing exactly the same thing with DevOps? In this article I’ll explain why developers need a database for …
Visma Tech Talk with Kosli's Mike Long - DevOps: The Beginning of Infinity
In this video Mike speaks to Tinuis Alexander Lystad from Visma about his latest talk, DevOps: The Beginning of Infinity. Inspired by David Deutsch, Mike explores the concept of infinite knowledge …
It’s 2021! Why does Change Management still suck?
There’s an excellent management paper from 2001 called Nobody Ever Gets Credit for Fixing Problems that Never Happened. In it, the researchers looked into how companies create and sustain process …
The Jan Bosch Interview: The Future for Technology Companies
A few days ago you posted a video from the Software Center about doing continuous testing in regulated, safety critical environments. And it immediately attracted a bunch of objections from people in …
10 outdated beliefs about software
The world of software remains a fascinating place and I keep being amazed at how rapidly it continues to evolve and transform. We certainly have come a long from the early 1980s when I was a teenager …
The Jan Bosch Interview: Software Innovation in Embedded and Regulated Systems
All of the research into DevOps tells us that it is the most efficient way to deliver software. But, what does DevOps look like in places where you have the extra friction that comes with embedded …
The Jan Bosch Interview: Industry and Academia
A few weeks ago Jan Bosch joined Kosli as an investor and advisor. Shortly after his arrival I interviewed him about a range of software related topics. Our conversation will form the basis for a …
DevOps and the future of Change Management
Here’s your chance to catch up on the talk @meekrosoft gave at BCS EDN where he discussed the change management challenges associated with practising DevOps in regulated industries. In sectors …
Is faster actually safer? How software physics beats human psychology
Sometimes doom-scrolling through Twitter has its rewards. A few weeks ago, in between the Ever Given🚢 memes (how we miss the big boat!) and the usual screams😱 into the void, I came across this tweet …
ZTL Case: Building a Fintech with DevOps DNA
Moving at DevOps speed isn’t straightforward in regulated industries. Change management processes force your development teams to delay valuable release candidates. But, what if you could automate the …
Ready to ship with more confidence?
Got a question about Kosli?
We’re here to help, our customers range from larges fintechs, medtechs and regulated business all looking to streamline their DevOps audit trails
Contact us