DevSecOps is an integrated approach for building and deploying safe, secure, and scalable software. It's an approach to culture, automation, and platform design that focuses on shift-left security and emphasizes the shared responsibility within the software release lifecycle. Nicolas Chaillan (former US Air Force and Space Force Chief Software Officer) created DoD’s DevSecOps Reference Design to help standardize the practices and components that enable federated agencies consistently deploy secure DevSecOps-enabled software factories. Let us first begin with understanding what DoD's Enterprise DevSecOps Reference design is?
The DevSecOps lifecycle, supporting pillars, and DevSecOps ecosystem
List of tools and activities for establishing the DevSecOps software factory and ecosystem;
The DoD enterprise DevSecOps Infrastructure as Code and Configuration as Code templates that harden the environment and mission applications
Application security best practices.
This DoD Enterprise DevSecOps Reference Design provides implementation and operational guidance to Information Technology (IT) capability providers, IT capability consumers, application teams, and Authorizing Officials. While the reference design outlines the core requirements for the DevSecOps software factory, deploying a software factory that implements this DoD Enterprise Reference Design is a daunting task for the reasons listed below:
Culture is one of the biggest challenges in implementing DoD Enterprise Reference design, which requires a mindset shift from ‘security as an afterthought’ to ‘security-first’.
Implementing a DevSecOps software factory requires deploying layers of complex software stacks with purpose-built tools.
Integrating and managing a wide range of activities that rely on these tools.
Bringing in the right technology skills, especially when it comes to security skills.
Integrating the wide range of DevSecOps tools can be hard and time-consuming.
Highly regulated environments can bring in a lot of complexity in adopting DevSecOps. Zero-Trust security architectures, restricted communication with stakeholders, and segregated environments, all cause challenges when it comes to implementing continuous practices.
Security tools generate a lot of false positives and take a lot of time to validate and mitigate risks. This causes developers to avoid using these tools.
Tackling both greenfield and brownfield applications to be deployed in cloud, on-prem, or in a multi-cloud environment is challenging.
Implementing Zero Trust capabilities and other security best practices like the Software Bill of Materials (SBOM) within the software factory need end-to-end integration of process and tools.
VivSoft, through its SBIR Phase 3, helped the DoD in its Enterprise DevSecOps initiative. The aim of this initiative was delivering an enterprise DevSecOps platform based on the DevSecOps Reference Design called Platform One or P1. P1’s Big Bang offering is a modern, open source, cloud-era DevSecOps platform that provides valuable tooling, hosts CI/CD DevSecOps pipelines, and offers a secure Kubernetes platform for hosting micro-services. In addition, it provides a collection of approved and compliant infrastructure as code playbooks, Kubernetes distributions and hardened containers.
VivSoft simplifies the implementation of DoD’s DevSecOps Reference Design based software factories by providing an integrated and human-centered design solution to deploy Big Bang. It minimizes the cognitive load for end users through our productized DevSecOps accelerator called ENBUILD to solve all the challenges listed above.
VivSoft’s ENBUILD accelerator was co-created with the Air Force’s Platform One (P1) to address the automation, security, and trustworthiness of DevSecOps and MLOps automation. ENBUILD allows users to select pre-packaged deployment automation for Platform One’s open-source offerings. It provides an intuitive interface that deploys secure (DoD-compliant) automation stacks without vendor lock-in. This platform has been selected for rapidly deploying Platform One stacks in other federal agencies.
With ENBUILD, any agency can now:
Build a custom software factory for their mission-specific needs to enable faster deployment.
Deploy P1 DevSecOps platform and its automation into their own cloud or on-prem environment.
Provide mission teams an Out-of-the-Box deployment of CI/CD automation that complies with DoD enterprise DevSecOps reference design 2.0.
Move towards cATO (Continuous Authority to Operate), which is becoming necessary as the DoD and civilian agencies are putting more applications and data in the cloud.
Deploy MLOps stacks on Day 1 with data pipelines capabilities.
Need more Information? Book your demo here!
Comments