Agile and DevSecOps Design Concepts
Chief Architect, DON CIO. April 10, 2020 DISTRIBUTION A. Approved for public release: Distribution unlimited (01 Nov 2019)
The Department of the Navy (DON) wants to bridge traditional gaps between IT and security while ensuring fast, safe delivery of capabilities to the fleet. The DON delivers most of its IT capabilities today under an antiquated waterfall methodology. Commercial software that is purchased is usually customized, which makes it difficult and costly to maintain. For custom software, it often takes years to define requirements, and even longer to deliver capability that most likely does not meet user expectations. There are pockets in DoD and DON creating software development factories, pipelines, and processes to adopt Agile and DevSecOps methods. The DoD and DON at-large have not fully embraced the culture and techniques to take advantage of automation under these frameworks. The existing hybrid multi-cloud Security and Operations activities do not use the same tools and techniques as in Development and Deployment aligned with the DevSecOps concepts. The constraints preventing DON DevSecOps adoption are: (1) Culture, guidance, processes, and services do not support distributed, tiered, federated, multi-tenancy operations, or Agile and DevSecOps principles or methods; (2) Existing pipelines and efforts are focused on custom code1, but the strategy is to consume commercial products first (SaaS, PaaS, COTS); (3) An incremental approach to achieve DevSecOps maturity does not exist; (4) Inheritance and reciprocity are not having the desired impact because risk is contextual and dependent on the target environment. Rent before buy, buy before build: only develop custom capabilities unique to the DON mission Deliver and consume DevSecOps capabilities as self-service provisioned Digital Enterprise
Services Create pipelines and continuous A&A for each capability development and delivery model Consolidate factories, tool networks, and enable differentiation and local control of pipelines Align with DOD Enterprise DevSecOps Reference Design2 for containerized and GOTS use cases Enable Fleet Cyber
Command visibility and control of continuous delivery and target environments by using the same tools for development and operations
Institute cultural change to enable Agile development, not Agile BS3
Create cross-factory interoperability and promote re-usability
Integrate feedback loops and enable self-service access to production data and baselines in Dev
Automate all aspects including functional testing
Treat all items as Infrastructure as Code
1 Compile-to-Combat in 24 Hours Implementation Standard V1. 2 DOD Enterprise DevSecOps Reference Design V1.0; August 12, 2019 3 DIB Guide: Detecting Agile BS; Oct 9, 2018
Curr
ent S
tate
Pr
oble
m
Stat
emen
t D
evSe
cOps
Des
ign
Requ
irem
ents
Re
fere
nces
Figure 1: Navy Agile & DevSecOps
PRODUCTION ENVIRONMENT
PRODUCTION ENVIRONMENT
Production Operations
ToolsProd
FLEET CYBER COMMAND
PRODUCTION ENVIRONMENT
Arc
hite
ctur
e an
d Se
rvic
esPr
oces
ses
& M
etho
ds
Artifact Repository
Legend
Commercial Hardware,Software
Cloud Service(SaaS, PaaS, IaaS)
Software, Managed Service Offering
Products
OTHER GOVT FACTORIES
GOTS Pipeline
Low Code-No Code Pipeline
Workplace Automation Pipeline
Agile Methodology
Infrastructure as Code Pipeline
GOTS PipelineLow Code-No Code Pipeline
Top Related