Polar Unlocks DevSecOps Data in Highly Regulated Environments to Improve Operational Decisions

Modern DevSecOps processes create a wealth of data that software producers can use to improve their development operations. However, traditional data-collection techniques obscure the full picture, limiting an organization’s ability to leverage its data fully. To address this challenge, the SEI developed Polar, a secure and scalable framework that enables access to all of an organization’s DevSecOps data to inform and streamline operational decision making and process improvement, even in highly regulated environments.

DevSecOps practices can help solve difficult service problems related to resilience, security, scale, and agility. But these practices may lead to complex deployment pipelines that are built from many different solutions and tools, each of which comes with its own inherent complexity and cost to adopt. The number and types of stakeholders who require information about the DevSecOps pipeline can be broad. They need different data from different systems and have different ways to access it. There may be no obvious way to use the information in one system to help answer questions and solve problems.

Data is locked away in disparate systems, and combining the data in meaningful ways often means custom application development.

David James Shepard

Senior Engineer, SEI Software Solutions Division

“The problem is complexity,” said project lead David Shepard. “Data is locked away in disparate systems, and combining the data in meaningful ways often means custom application development. One-off solutions don’t maximize the value of an organization’s data because they’re focused on a specific problem domain that is often not aligned with the needs of decision makers.”

Released in April 2024, the Polar tool dynamically maps the relationships in complex DevSecOps infrastructures and provides visibility into components that previously seemed unrelated. This kind of visibility can help users diagnose and track down problems when they arise. “The information can be used to build automation, monitoring, and alerting,” said Joseph Yankel, senior engineer at the SEI. “It can also help discover cost centers, reduce duplication, visualize end-to-end tool integration, manage licensing, and deliver additional insights.”

A knowledge graph is the core of the Polar architecture. It stores and manages data, using nodes containing organizational data and edges that build meaning between different types of data, enabling intuitive query and analysis. Polar’s schema can be changed at any time without a data migration, permitting the design to flex with evolving operating environments. Designed for highly regulated environments, Polar utilizes a publisher–subscriber architecture with mutual transport layer security for encrypted communications. Polar provides a

• framework for gathering observable data
• data model for organizing observations
• query engine for asking questions of the combined data
• distributable and repeatable environment for developing and testing software
• shareable development methodology for building secure and resilient software

Polar unlocks data that is captured by disparate tools within an organization, helping to answer complex questions about performance and security that are crucial for decision-making and agility in the face of threats.

The SEI encourages users to try Polar, available on GitHub at github.com/cmu-sei/Polar, and provide feedback.