2022 Year in Review
New Model Provides Blueprint for DevSecOps
Adopting DevSecOps methods is challenging for large Department of Defense (DoD) software acquisition and development groups. While policies such as the software acquisition pathway encourage government programs to use DevSecOps and Agile methods, they do not say how. The DevSecOps literature is too broad to be practical, and DevSecOps tools are too narrowly scoped.
The SEI's DevSecOps Platform-Independent Model (PIM) formalizes the practices of DevSecOps pipelines and organizes relevant guidance. The first-of-its-kind, enterprise-wide model gives software development organizations a practical set of instructions for creating, maintaining, and evolving DevSecOps pipelines.
The DevSecOps software engineering environment promotes collaboration among development, security, and operations. This socio-technical system uses automation for flexible, rapid, frequent delivery of secure infrastructure and software to production.
Software development organizations must tailor each DevSecOps pipeline to the people, processes, and technology needed to provide a product or service. These complex pipelines are especially hard for large projects and those in heavily regulated, security-sensitive environments.
“Programs often focus on the product and don’t put enough effort into the pipeline that's building it,” said Tim Chick, PIM project lead. Without practical guidance, organizations create pipelines ad hoc, fight fire after fire, and fail to get the expected value from their DevSecOps implementations.
The DevSecOps PIM is a reusable reference architecture for DevSecOps pipelines. It is a systematic, consistent starting point for new DevSecOps projects or a reference for assessing existing ones. Any stakeholder in software development—managers, executives, engineers, and acquisition officers—might find a use for the PIM’s holistic, enterprise-wide view.
The interactive PIM website lets anyone walk the model, explore guidance for each phase of the DevSecOps lifecycle, plan a DevSecOps infrastructure fit for purpose, and avoid technical debt. “You know what you actually need to build versus buying something that doesn’t suit you,” said Joe Yankel, an SEI DevSecOps specialist.
The PIM also allows pipeline risk modeling and threat and attack surface analysis. Threat modeling workshops, usually used on computer-based information systems, helped the PIM development team model attacks, their actors and effects, and the pipeline assets to protect.
Those cybersecurity scenarios mesh with the PIM’s personnel role involvement model. “If you look at the roles and cybersecurity separately, you won't see any interactions,” said Nataliya Shevchenko, one of the PIM’s creators and main modeler. “But if you put everything in one view, they start to appear, enabling more analysis and better threat mitigation.”
Model-based systems engineering (MBSE) is baked into the DevSecOps process. But to create the PIM, the SEI innovated the application of MBSE to DevSecOps itself, modeling it as they would any other system. The PIM team leveraged a digital modeling environment for MBSE, its experience with DoD mission threads, and a recognition of humans as integrated system components.
The PIM aims to help organizations fulfill the promise of DevSecOps: software that is more secure, less costly, and faster to produce. “The PIM is like a map,” said Chick. “The model helps you get where you want to go in the most efficient and effective way.”
“There is a growing need for centralized software development infrastructure—software factories—in many DoD programs,” said Hasan Yasar, technical director for continuous deployment of capability at the SEI. “By leveraging the PIM and its concepts, these programs could define their needs and architect the right DevSecOps ecosystems.”
Explore the DevSecOps Platform-Independent Model at https://cmu-sei.github.io/DevSecOps-Model/.