Hi, how do you deal with the auditors requests? When they’re asking for “a list of all users who have accessed the source code in the past 30 days and ensure that the program source libraries record a time stamped log of all access and modification to source code.”
Assume all authorized users have accessed the source code, and use git commits as modification records
I know how I would handle it, but its almost definitely illegal in every jurisdiction that has auditors!
In Azure DevOps / Git you can use the Azure DevOps instance to timestamp modifications (assuming you only deploy centrally) but there is no way to timestamp all access considering the access is local and people could clone a repo from their local instance to anybody outside of your control.
The audit log of Azure DevOps and GitHub can give you quite a bit of data. Butf course no guarantee someone hasn’t copied the git repo elsewhere. Much harder to prove where the code went after clone.
PDBs and SourceLink can link source files and build results directly to get history
I get this question once or twice a year myself. Is accessed defined as looked at it in the web, cloned it, some generic read operation? Simple clones are not in the audit stream, either is the low level data I’d dig out of the IIS logs in a Server instance.
This is cumbersome but in my org all internet traffic is proxied & DLP’d with no exceptions. If you can’t figure out how to get an app to use the proxy there is no internet access for you 
I’ve floated the idea to them that if audit really, and I mean really wanted that information they could ask Infosec to mine their data for users that have accessed some URL patterns.
When it comes to the server env I have all the IIS logs shipped to Splunk and that is a gold mine of user activity. Every mouse click, api call, or process that touches the app is in there someplace. I have many reports written for when I’m asked the who touched what questions. Audit really dislikes that I can’t provide the same data for Services, down to I’ll get asked who approved using it in the first place if there are audit gaps.
I just kicked off our annual access review for internal audit today, teaching the new guys how to do it.
We often just give the ACLs and say that they might have looked at it and that it’s hard to be more precise.
What the auditors luckily don’t know is how git can work peer-to-peer over local network and USB as well,
And don’t forget the SSH service
Or how you can have the build agent write the whole git repo to a disk you have access to
I suppose they don’t fingerprint the files and monitor them using their Endpoint protection tools… Which is probably the only “safe” bet when combined with network inspection.
I always laugh when auditors say things like “who approved this tool to begin with”, cause they often ask for things that are not available in any tool I am aware of. Unless they shield off the whole thing and only let people work on it from a network shielded VM over RDP with clipboard turned off. And even then I can just use the Windows Powertoys to OCR a screendrump
