Rocket DevOps Test Streamlines DORA Compliance

DORA (Digital Operational Resilience Act) is a regulation ratified in November 2022 by the European Union (EU). Part of a package of measures aimed at boosting digital innovation in the EU's financial sector while addressing the risks associated with it, DORA delivers a complex set of rules aimed at ensuring that financial entities build digital resilience into their operational frameworks and safeguard against cybersecurity threats. This includes regulatory standards in software development. You can read more about DORA and its impact on the mainframe in our blog here.

This regulation affects any financial company with operations in Europe or providing "critical" information and communications technology (ICT) services to one or more European financial entities. Navigating DORA’s complexities and ensuring compliance is no easy feat. It comprises 106 preambles, 64 articles, and multiple regulatory schemas.

So, what do organizations need to know as they prepare to comply with DORA? Let’s take a closer look.

DORA Puts DevSecOps Front and Center

Software development within financial entities must meet DORA’s rigorous standards. A sampling of DORA’s software development and testing requirements, per article 25, paragraph 1, includes:

• Vulnerability assessments and scans.
• Open-source analyses.
• Gap analyses.
• Physical security reviews (security policies and procedures).
• Questionnaires and scanning software solutions.
• Source code reviews where feasible. Scenario-based tests.
• Compatibility testing. 
• Performance testing.
• End-to-end testing.

Unique Challenges for Mainframe Developers

Compliance with DORA is particularly challenging in multi-code environments that include IBM® i. Mainframe developers face unique hurdles when ensuring their IT environments are secure. Tools like open source have helped boost software development, but they also mean security must always be at the top of people’s minds.

Incorporating security best practices into the DevOps toolchain—also known as DevSecOps—helps ensure security remains a consistent, shared responsibility throughout the software development life cycles and that security updates are added quickly and smoothly, reducing the chance of threats.

Automated Compliance Testing and Security Built-in

Here’s where Rocket DevOps Test 10.3.1 comes in. The testing component of the Rocket DevOps modernization platform, Rocket DevOps Test, enables multi-code environments that include IBM I, to integrate continuous and automated testing processes and minimize backtracking due to late-stage defect discovery. It fosters shared responsibilities among siloed teams, implements a shift-left testing approach, and ensures that testing and DevOps security is an integral, seamless part of Continuous Integration and Continuous Delivery (CI/CD).

In addition to continuous, automated testing and streamlined change management capabilities, Rocket DevOps Test monitors database changes during testing to maintain consistency and compliance across regulations like DORA. Rocket’s new testing software also offers built-in IT governance and security that proactively identifies and remediates code quality and security issues early, ensuring that coding standards and security requirements are met. Integration with SonarQube and other tools proactively addresses code quality and security, aligning with DevSecOps principles.

Automated Compliance Testing and Built-in Security Hold the Key

Regulations like DORA related to cybersecurity, risk management, and incident reporting will change how companies operate on both sides of the Atlantic. The newest version of Rocket DevOps Test offers a streamlined approach to ensure that software development within financial entities meets DORA's rigorous standards, providing a clear pathway to resilience and compliance.

Learn how Rocket DevOps Test can help your organization streamline DORA compliance.