2021 Year in Review
Modeling DevSecOps for Software Pipeline Assurance
At a conference in 2020, the SEI’s Tim Chick was asked, “How do you assure DevSecOps pipelines?” Based on their experience in the field, Chick and his SEI colleagues concluded that most organizations were making indefensible assertions about their pipeline’s assurance and what it would provide for product assurance. While one can assure a software product, the concept of a DevSecOps pipeline lacked enough definition and substance to be assured, or verified to behave as expected, and to have its cybersecurity risks quantified.
A few months later, bad actors exploited a supply chain flaw to deliver malware to thousands of systems running SolarWinds software. This attack validated the SEI’s conclusions: Both the product and pipeline need to be assured.
While there are many theories and tools for DevSecOps, there is no practical framework for its implementation and evaluation. “There’s no holistic view of how you bring it all together,” said Chick. Filling this gap is especially critical for major Department of Defense programs because they rely on the DevSecOps pipeline to repeatedly perform key assurance activities to address the scale and complexity of their software systems.
To bridge this gap between research and practice, the SEI developed a DevSecOps model. It includes 10 capability areas covering every stage of the DevSecOps lifecycle. Chick’s team mapped requirements to capabilities and divided them into four levels. This structure enables organizations to quantifiably evaluate their DevSecOps capabilities, from planning to quality assurance. To fully encompass the socio-technical aspects of the pipeline, the model defines goals and measurements for the roles and responsibilities within the organization.
The DevSecOps model became an opportunity for different teams within the institute to bring all their knowledge and experience into a single resource.Tim Chick
Systems Team Technical Manager, SEI CERT Division
The model also maps out process flows required in building a secure and resilient DevSecOps pipeline, outlining the different data elements that impact the pipeline, building in security, and applying a measurement framework to allow model users to quantify the health of their DevSecOps pipeline through the development and operational lifecycles—all while reducing time to deployment.
Chick expects the model to be especially useful to government agencies and heavily regulated segments of industry, where implementing DevSecOps at scale can be challenging. The SEI brought decades of experience in developing maturity and capability models—such as the Capability Maturity Model Integration (CMMI), Smart Grid Maturity Model (SGMM), and CERT Resilience Management Model (CERT-RMM)—for just these kinds of organizations. “The DevSecOps model became an opportunity for different teams within the institute to bring all their knowledge and experience into a single resource,” said Chick. “The model really represents the whole body of work of the institute.”
The model should be released in early 2022, and the SEI seeks organizations to test it by implementing the model and adapting it to different scenarios; for example, in evaluating bids from DevSecOps contractors. Filling the DevSecOps definition gap is just the first step, though. The next phase of SEI research will apply current software assurance techniques to the pipeline and enhance or adapt those techniques to assure both the pipeline and the product, all while keeping pace with the rate of change in current Agile and DevSecOps environments.
Timothy Chick (project lead), Bob Ellison, Brent Frye, Christopher Miller, Bill Nichols, Mary Popeck, Aaron Reffett, Geoff Sanders, Nataliya Shevchenko, Carol Woody, Joseph Yankel