Cloud.mil
 
Intro to DevSecOps

What is DevSecOps?


DevSecOps is a software engineering culture and practice that aims at unifying software development (Dev), security (Sec), and operations (Ops). DevSecOps emphasizes collaboration and communication between development, security, and operations teams to deliver secure and resilient software at the speed of relevance. It involves automating security and testing processes, integrating security tools and practices into the development pipeline, and fostering a culture of shared responsibility for performance and security. Adopting DevSecOps accelerates the delivery cadence of software capability while integrating security throughout the software lifecycle.


DevSecOps is iterative by design, recognizing that software is never done. The “big bang” style delivery of the waterfall process is replaced with small, frequent deliveries that make it easier to change course as necessary. Each small delivery is accomplished through a fully automated process or semi-automated process with minimal human intervention to accelerate continuous integration and continuous deployment. This lifecycle is adaptable and includes numerous feedback loops that drive continuous process improvements.


The DevSecOps lifecycle consists of ten phases. The ten phases group common activities and quality gates. They proceed in a cyclical manner with the result of a cycle being a software product release. A software product release is an iteration of the product that includes new functionality, performance enhancements, and/or security improvements. Each cycle builds upon the results of previous cycles. The ten phases are defined below.



The DevSecOps core loop.




Phases


Plan – Define the requirements and objectives of the product, with the greatest focus on the contents of the next release or version.
Develop – Create the elements of the product based upon the requirements and objectives identified in the Plan phase.
Build – Compile and/or integrate the new elements with any existing elements of the product.
Test – Verify that the new elements meet the requirements and objectives prior to packaging and deployment.
Release – Package the product and create all required documentation.
Deliver – Transmit the product to the operational environment.
Deploy – Install and/or configure the product within the operational environment.
Operate – Make the product available to the intended users.
Monitor – Observe, measure, and monitor the product as it is used.
Feedback – Transmit observed behavior and desired changes for consideration in the next iteration of the DevSecOps lifecycle.


The development and operations iterations of the lifecycle incorporate improvements and refinements during those cycles. These iterations may be necessary to address critical issues or to add needed capabilities prior to the release and operation of a deployable product.






A DevSecOps unrolled loop.



Key Concepts


DevSecOps Platform

A DevSecOps (or digital) platform is a group of resources and capabilities that form a base upon which other capabilities or services are built and operated within the same technical framework. Use of a DevSecOps or digital platform is encouraged to accelerate development, delivery, and cybersecurity accreditation.


Infrastructure as Code (IaC)

IaC plays a critical role in automation for DevSecOps platforms. IaC streamlines infrastructure deployment, authorization, and security for customers leveraging cloud, shortening the typical infrastructure stand up by seven months. IaC consists of baselines that automatically establish cloud environments in hours.


Software Factory

A software factory is a collection of people, tools, and processes that enables teams to continuously deliver value by deploying software to meet the needs of a specific community of end users. It leverages automation to replace manual processes.



CI/CD Pipeline

A critical part of a software factory is the CI/CD pipeline. A software factory may contain multiple CI/CD pipelines which are equipped with a set of tools, process workflows, scripts, and environments, to produce a set of software deployable artifacts with minimal human intervention. It automates the activities in the develop, build, test, release, and deliver phases. Different pipelines are needed for different types of software such as web applications, business systems, command and control systems, embedded systems, or AI/ML.


Continuous Authorization to Operate (CATO)


cATO is the state achieved when the organization that develops, secures, and operates a system has demonstrated sufficient maturity in their ability to maintain a resilient cybersecurity posture that traditional risk assessments and authorizations become redundant. This organization must have implemented robust information security continuous monitoring capabilities, active cyber defense, and secure software supply chain requirements to enable continuous delivery of capabilities without adversely impacting the system’s cyber posture.




A DevSecOps figure with additional external loops.


Integration


Security

While the DevSecOps lifecycle includes a phase named “Test,” there are testing activities throughout the lifecycle, whether by securing the software supply chain or by adopting practices in alignment with NIST SP 800-218. The DevSecOps Activities & Tools Guide includes testing activities as part of the focus on Continuous Testing and maps these activities to the SSDF.


Risk Management Framework

Risk Management Framework (RMF) is the framework DoD uses to ensure all IT systems and applications are “cyber” secure. RMF provides a disciplined and structured, yet flexible process for managing security. The six-step process is designed to develop strong cybersecurity through proper categorization, vulnerability identification and mitigation, assessment, and monitoring of systems and software.






Testing and Evaluation

While the DevSecOps lifecycle includes a phase named “Test,” there are testing activities throughout the lifecycle, whether by securing the software supply chain or by adopting practices in alignment with NIST SP 800-218. The DevSecOps Activities & Tools Guide includes testing activities as part of the focus on Continuous Testing and maps these activities to the SSDF.


Acquisition

Acquisition and DevSecOps are closely related in the context of software development and procurement. This alignment between acquisition and DevSecOps enables organizations to save time and money while ensuring the agility and resilience of their software systems.







Events







Software Factory Coalition Conference


June 4-6
The Pentagon


The mission of the Software Factory Ecosystem Coalition is to bring the DoD Software Factory Ecosystem together to improve innovation by sharing discoveries, swarm to solve problems, and self-govern software factory functions to enable reuse, reduce unnecessary duplication, and allow for necessary specialization.

















Feedback




Your feedback and contributions are appreciated.

Get in touch.