Digital Engineering and DevSecOps

featuring David Shepard as Interviewed by Suzanne Miller

DevOps isn’t the buzzword it was over a decade ago. Today, pretty much everyone in the software game has integrated their development and operations teams, and it’s easy to see why. Together, they’re able to deploy software faster and more reliably. It’s been an absolute gamechanger.

更多

Unfortunately, security has been late to the party. The aim of DevSecOps is to integrate IT security into the software development lifecycle. That way, businesses can rapidly deploy software while ensuring a high standard of application security.

If you’re a technology leader, you understand how critical security is. That said, it can—and often does—cramp your team’s style. Development has an agile mindset. Security, on the other hand, doesn’t. In fact, it’s lagging behind. And it can be frustrating.

Now imagine how security practitioners feel. They’re in an unenviable position. On average, enterprises have one security practitioner for every 100 software developers.1 So, scaling application security is no cakewalk, never mind making it agile.

The point of this playbook is to help you build out a DevSecOps function and enable your business to enjoy the benefits of speedy development paired with top notch security. And if we can get your engineers and security practitioners to work together more effectively, all the better.

收起

Modern information systems and weapons platforms are driven by software. As such, the DoD is working to modernize its software practices to provide the agility to deliver resilient software at the speed of relevance. DoD Enterprise DevSecOps Reference Designs are expected to provide clear guidance on how specific collections of technologies come together to form a secure and effective software factory.

The ability to deliver capability “at the speed of relevance” requires an innovative approach to providing secure access to cloud environments. As highlighted in a recent report by the Defense Innovation Board, “...the threats that the United States faces are changing at an ever-increasing pace, and the Department of Defense’s (DoD’s) ability to adapt and respond is now determined by its ability to develop and deploy software to the field rapidly.” To effectively and efficiently achieve the objective, access to cloud environments must be flexible, ubiquitous, and at the same time, provide the requisite level of security and monitoring to protect from, detect, respond to, and recover from cyber-attacks. The purpose of a Cloud Native Access Point (CNAP) is to provide secure authorized access to DoD resources in a commercial cloud environment, leveraging zero trust architecture (ZTA), by authorized DoD users and endpoints from anywhere, at any time, from any device.

更多

The purpose of this CNAP Reference Design (RD) is to describe and define the set of capabilities, fundamental components, and data flows within a CNAP. It presents logical design patterns and derived reference implementations for deploying, connecting to, and operating a CNAP. It is a future state design to guide the development of next generation connectivity and cybersecurity capabilities to improve internet-based machine and user access into DoD cloud (in particular, commercial cloud-hosted) resources and services. A CNAP provides person entities (PE) (i.e., end users and privileged users) and non-person entities (NPE) access to cloud enclaves using a combination of cloud native and cloud ready security mechanisms. Further, a CNAP allows authorized outbound access to the internet, for example, to enable software repository synchronization of COTS patches or new versions of Free and Open-Source Software (FOSS) projects and system-to-system interfaces with mission partners such as other Federal Departments.

The CNAP RD is intended for the Combatant Commanders, Military Departments, Defense Information Systems Agency (DISA), other Defense Agencies, and mission partners who require access to DoD resources in the commercial cloud and government cloud. It serves as DoD enterprise-level guidance for establishing secure internet ingress and egress to cloud-hosted development, test, and production environments.

收起

DevSecOps is a software engineering culture that guides a team to break down silos and unify software development, deployment, security and operations. Critical to the success of DevSecOps adoption is buy-in from all stakeholders, including: leadership, acquisition, contracting, middle-management, engineering, security, operations, development, and testing teams. Stakeholders across the organization must change their way of thinking from “I” to “we”, while breaking team silos, and understanding that the failure to successfully deliver, maintain, and continuously engineer software and its underlying infrastructure is the failure of the entire organization, not one specific team or individual.

Practicing DevSecOps requires an array of purpose-built tools and a wide range of activities that rely on those tools. This document conveys the relationship between each DevSecOps phase, a taxonomy of supporting tools for a given phase, and the set of activities that occur at each phase cross-referenced to the tool(s) that support the specific activity.

This document is intended as an educational compendium of universal concepts related to DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding topic-specific guidebooks or playbooks. Guidebooks are intended to provide deep knowledge and industry best practices with respect to a specific topic area. Playbooks consist of one-page plays, structured to consist of a best practice introduction, salient points, and finally a checklist or call-to-action.