Agile and DevSecOps Design Concepts 20200410...Kd, Z 'Ksd & dKZ/ ^ 'Kd^ W ] o ] v > } Á } rE } } W...

1
Agile and DevSecOps Design Concepts Chief Architect, DON CIO. April 10, 2020 DISTRIBUTION A. Approved for public release: Distribution unlimited (01 Nov 2019) The Department of the Navy (DON) wants to bridge traditional gaps between IT and security while ensuring fast, safe delivery of capabilities to the fleet. The DON delivers most of its IT capabilities today under an antiquated waterfall methodology. Commercial software that is purchased is usually customized, which makes it difficult and costly to maintain. For custom software, it often takes years to define requirements, and even longer to deliver capability that most likely does not meet user expectations. There are pockets in DoD and DON creating software development factories, pipelines, and processes to adopt Agile and DevSecOps methods. The DoD and DON at-large have not fully embraced the culture and techniques to take advantage of automation under these frameworks. The existing hybrid multi-cloud Security and Operations activities do not use the same tools and techniques as in Development and Deployment aligned with the DevSecOps concepts. The constraints preventing DON DevSecOps adoption are: (1) Culture, guidance, processes, and services do not support distributed, tiered, federated, multi-tenancy operations, or Agile and DevSecOps principles or methods; (2) Existing pipelines and efforts are focused on custom code 1 , but the strategy is to consume commercial products first (SaaS, PaaS, COTS); (3) An incremental approach to achieve DevSecOps maturity does not exist; (4) Inheritance and reciprocity are not having the desired impact because risk is contextual and dependent on the target environment. Rent before buy, buy before build: only develop custom capabilities unique to the DON mission Deliver and consume DevSecOps capabilities as self-service provisioned Digital Enterprise Services Create pipelines and continuous A&A for each capability development and delivery model Consolidate factories, tool networks, and enable differentiation and local control of pipelines Align with DOD Enterprise DevSecOps Reference Design 2 for containerized and GOTS use cases Enable Fleet Cyber Command visibility and control of continuous delivery and target environments by using the same tools for development and operations Institute cultural change to enable Agile development, not Agile BS 3 Create cross-factory interoperability and promote re-usability Integrate feedback loops and enable self- service access to production data and baselines in Dev Automate all aspects including functional testing Treat all items as Infrastructure as Code 1 Compile-to-Combat in 24 Hours Implementation Standard V1. 2 DOD Enterprise DevSecOps Reference Design V1.0; August 12, 2019 3 DIB Guide: Detecting Agile BS; Oct 9, 2018 Current State Problem Statement DevSecOps Design Requirements References Figure 1: Navy Agile & DevSecOps PRODUCTION ENVIRONMENT PRODUCTION ENVIRONMENT Production Operations Tools Prod FLEET CYBER COMMAND PRODUCTION ENVIRONMENT Architecture and Services Processes & Methods Artifact Repository Legend Commercial Hardware, Software Cloud Service (SaaS, PaaS, IaaS) Software, Managed Service Offering Products OTHER GOVT FACTORIES GOTS Pipeline Low Code-No Code Pipeline Workplace Automation Pipeline Agile Methodology Infrastructure as Code Pipeline GOTS Pipeline Low Code-No Code Pipeline

Transcript of Agile and DevSecOps Design Concepts 20200410...Kd, Z 'Ksd & dKZ/ ^ 'Kd^ W ] o ] v > } Á } rE } } W...

Page 1: Agile and DevSecOps Design Concepts 20200410...Kd, Z 'Ksd & dKZ/ ^ 'Kd^ W ] o ] v > } Á } rE } } W ] o ] v t } l o µ } u ] } v W ] o ] v P ] o

Agile and DevSecOps Design Concepts

Chief Architect, DON CIO. April 10, 2020 DISTRIBUTION A. Approved for public release: Distribution unlimited (01 Nov 2019)

The Department of the Navy (DON) wants to bridge traditional gaps between IT and security while ensuring fast, safe delivery of capabilities to the fleet. The DON delivers most of its IT capabilities today under an antiquated waterfall methodology. Commercial software that is purchased is usually customized, which makes it difficult and costly to maintain. For custom software, it often takes years to define requirements, and even longer to deliver capability that most likely does not meet user expectations. There are pockets in DoD and DON creating software development factories, pipelines, and processes to adopt Agile and DevSecOps methods. The DoD and DON at-large have not fully embraced the culture and techniques to take advantage of automation under these frameworks. The existing hybrid multi-cloud Security and Operations activities do not use the same tools and techniques as in Development and Deployment aligned with the DevSecOps concepts. The constraints preventing DON DevSecOps adoption are: (1) Culture, guidance, processes, and services do not support distributed, tiered, federated, multi-tenancy operations, or Agile and DevSecOps principles or methods; (2) Existing pipelines and efforts are focused on custom code1, but the strategy is to consume commercial products first (SaaS, PaaS, COTS); (3) An incremental approach to achieve DevSecOps maturity does not exist; (4) Inheritance and reciprocity are not having the desired impact because risk is contextual and dependent on the target environment. Rent before buy, buy before build: only develop custom capabilities unique to the DON mission Deliver and consume DevSecOps capabilities as self-service provisioned Digital Enterprise

Services Create pipelines and continuous A&A for each capability development and delivery model Consolidate factories, tool networks, and enable differentiation and local control of pipelines Align with DOD Enterprise DevSecOps Reference Design2 for containerized and GOTS use cases Enable Fleet Cyber

Command visibility and control of continuous delivery and target environments by using the same tools for development and operations

Institute cultural change to enable Agile development, not Agile BS3

Create cross-factory interoperability and promote re-usability

Integrate feedback loops and enable self-service access to production data and baselines in Dev

Automate all aspects including functional testing

Treat all items as Infrastructure as Code

1 Compile-to-Combat in 24 Hours Implementation Standard V1. 2 DOD Enterprise DevSecOps Reference Design V1.0; August 12, 2019 3 DIB Guide: Detecting Agile BS; Oct 9, 2018

Curr

ent S

tate

Pr

oble

m

Stat

emen

t D

evSe

cOps

Des

ign

Requ

irem

ents

Re

fere

nces

Figure 1: Navy Agile & DevSecOps

PRODUCTION ENVIRONMENT

PRODUCTION ENVIRONMENT

Production Operations

ToolsProd

FLEET CYBER COMMAND

PRODUCTION ENVIRONMENT

Arc

hite

ctur

e an

d Se

rvic

esPr

oces

ses

& M

etho

ds

Artifact Repository

Legend

Commercial Hardware,Software

Cloud Service(SaaS, PaaS, IaaS)

Software, Managed Service Offering

Products

OTHER GOVT FACTORIES

GOTS Pipeline

Low Code-No Code Pipeline

Workplace Automation Pipeline

Agile Methodology

Infrastructure as Code Pipeline

GOTS PipelineLow Code-No Code Pipeline

v-.. Jscriptum.cz/soubory/scriptum/zapad/zapad_1984_6_ocr.pdf · kých vězňů o;n to byl kd, o se po so-větském přepad postaviu dlo čela spi-sovatelského svaz au vytrva nl

v-.. Jscriptum.cz/soubory/scriptum/zapad/zapad_1984_6_ocr.pdf · kých vězňů o;n to byl kd, o se po so-větském přepad postaviu dlo čela spi-sovatelského svaz au vytrva nl

KD-A645 / KD-R640 / KD-R540 / KD-R440 - Datatailmedia.datatail.com/docs/manual/147067_en.pdf · 3 KD-A645 KD-R640 KD-R540 KD-R440 KD-R440 BASICS To Do this (on the faceplate) Do this

KD-A645 / KD-R640 / KD-R540 / KD-R440 - Datatailmedia.datatail.com/docs/manual/147067_en.pdf · 3 KD-A645 KD-R640 KD-R540 KD-R440 KD-R440 BASICS To Do this (on the faceplate) Do this

ï ñ î ì > l ] v ^ X ^ X í ì î ' v U > ' >

ï ñ î ì > l ] v ^ X ^ X í ì î ' v U > ' >

CD RECEIVER KD-G120R/KD-G120 RECEPTOR CON …ENGLISH ESPAÑOL FRANÇAIS CD RECEIVER KD-G120R/KD-G120 RECEPTOR CON CD KD-G120R/KD-G120 RECEPTEUR CD KD-G120R/KD-G120 For canceling the

CD RECEIVER KD-G120R/KD-G120 RECEPTOR CON …ENGLISH ESPAÑOL FRANÇAIS CD RECEIVER KD-G120R/KD-G120 RECEPTOR CON CD KD-G120R/KD-G120 RECEPTEUR CD KD-G120R/KD-G120 For canceling the

KD-A645 / KD-R640 / KD-R540 / KD-R440 - Car Audio ...santafeautosound.com/uploads/product-manuals/JVC KD-R540.pdfKD-A645 / KD-R640 / KD-R540 / KD-R440 GET0829-001A [J/JW] ENGLISH ESPAÑOL

KD-A645 / KD-R640 / KD-R540 / KD-R440 - Car Audio ...santafeautosound.com/uploads/product-manuals/JVC KD-R540.pdfKD-A645 / KD-R640 / KD-R540 / KD-R440 GET0829-001A [J/JW] ENGLISH ESPAÑOL

&HQWHUHG 3LQZKHHO · 2020. 10. 14. · & } W } v o h K v o Ç î ì î ì ^ Z Ç ^ Z ] Z X o o Z ] P Z Z À X Á Á Á XW } Á ÇY µ ] o v P X } u µ ] . o KD K } î ì î ì r v

&HQWHUHG 3LQZKHHO · 2020. 10. 14. · & } W } v o h K v o Ç î ì î ì ^ Z Ç ^ Z ] Z X o o Z ] P Z Z À X Á Á Á XW } Á ÇY µ ] o v P X } u µ ] . o KD K } î ì î ì r v

2016-2017 - Moneycontrol.com · 2016-2017. E Eh> Z WKZd îìíò rîìíó '' E WK>z Kd/E / >/D/d W ] µo WP E }X ... ( Z v vµo' v o D ]vPo}vPÁ] Z Z v v ^o] UW }ÆÇ&} uv W} o o

2016-2017 - Moneycontrol.com · 2016-2017. E Eh> Z WKZd îìíò rîìíó '' E WK>z Kd/E / >/D/d W ] µo WP E }X ... ( Z v vµo' v o D ]vPo}vPÁ] Z Z v v ^o] UW }ÆÇ&} uv W} o o

Kd Z } o ] v s ] µ o ^ v ] v P v Z ( o ( } / v ] À ] µ ... · K µ o o ] P v u v s ] µ o & ] Æ ] } v ... Microsoft PowerPoint - OT Role in Visual Screening Author: Claudette

Kd Z } o ] v s ] µ o ^ v ] v P v Z ( o ( } / v ] À ] µ ... · K µ o o ] P v u v s ] µ o & ] Æ ] } v ... Microsoft PowerPoint - OT Role in Visual Screening Author: Claudette

KD-ADV49J,KD-AVX44J,KD-AVX44C KD-AVX44E, KD ... KD-ADV49J...KD-AVX22E,KD-AVX22EU,KD-AVX22EE COPYRIGHT 2008 Victor Company of Japan, Limited. Lead free solder used in the board (material

KD-ADV49J,KD-AVX44J,KD-AVX44C KD-AVX44E, KD ... KD-ADV49J...KD-AVX22E,KD-AVX22EU,KD-AVX22EE COPYRIGHT 2008 Victor Company of Japan, Limited. Lead free solder used in the board (material

Microsoft Azureflipbooks.azurewebsites.net/flipbooks/c4kuwait... · SAMSUNG LED 40"- UA40EH5000 + instant Discount KD. 20 + Carrefour upon worth KD. - (KD. 109.900+21 p..UJ9.O Disco

Microsoft Azureflipbooks.azurewebsites.net/flipbooks/c4kuwait... · SAMSUNG LED 40"- UA40EH5000 + instant Discount KD. 20 + Carrefour upon worth KD. - (KD. 109.900+21 p..UJ9.O Disco

0(+.*&+, -%1/#)+(+'$+*nyp.nypost.com/classifieds/20160216/classifieds.pdf · t mc th kd gkdp 6c : pcd ; =;ca:d;kh k; ... log kd?o ;:?dm i: =; roqt:=o 6c : lt 9o pkn no ?o d; 9t h:o=

0(+.*&+, -%1/#)+(+'$+*nyp.nypost.com/classifieds/20160216/classifieds.pdf · t mc th kd gkdp 6c : pcd ; =;ca:d;kh k; ... log kd?o ;:?dm i: =; roqt:=o 6c : lt 9o pkn no ?o d; 9t h:o=

PPP Lender Activity Lookup - Brown County, Wisconsin · Updated as of April 23, 2020 ^ À ] v l < W o ] v ] o v l < u ] v l < KD v l < d µ E } Z & h < & ] / v v l < } v } v v l

PPP Lender Activity Lookup - Brown County, Wisconsin · Updated as of April 23, 2020 ^ À ] v l < W o ] v ] o v l < u ] v l < KD v l < d µ E } Z & h < & ] / v v l < } v } v v l

VebraAlto.com - Agency Cloud · íítÇ }u o} ÀÇZµou Dv Z Dðíót K(( }À ¬íôñUììì DKs /E KE /d/KEJ,KD ^dd ' Ed^ o]PZ }}(( (} o Z] Á oo v (µooÇ } Z

VebraAlto.com - Agency Cloud · íítÇ }u o} ÀÇZµou Dv Z Dðíót K(( }À ¬íôñUììì DKs /E KE /d/KEJ,KD ^dd ' Ed^ o]PZ }}(( (} o Z] Á oo v (µooÇ } Z

^O T? QL 8T ??TD ;= :D 9O KH FZ O =; KHHNO OH LK = A? O= OD QO 3 KD=KML ; KD;C …bloximages.newyork1.vip.townnews.com/santafenewmexican... · 2013. 3. 29. · r6 dkq c _c o=h o?]l

^O T? QL 8T ??TD ;= :D 9O KH FZ O =; KHHNO OH LK = A? O= OD QO 3 KD=KML ; KD;C …bloximages.newyork1.vip.townnews.com/santafenewmexican... · 2013. 3. 29. · r6 dkq c _c o=h o?]l

KD-R975BTS / KD-R970BTS / KD-R97MBS / KD-R875BTS / KD ... · *1 For KD-R975BTS / KD-R970BTS KD-R97MBS / KD-R875BTS: Selectable only when SiriusXM Vehicle Tuner is connected. * 2 Selectable

KD-R975BTS / KD-R970BTS / KD-R97MBS / KD-R875BTS / KD ... · *1 For KD-R975BTS / KD-R970BTS KD-R97MBS / KD-R875BTS: Selectable only when SiriusXM Vehicle Tuner is connected. * 2 Selectable

StoTherm KD C B 5 ? ; 5 = = O - sto-fasad.comsto-fasad.com/wp-content/uploads/2016/07/8157-stothermkd.pdfStoTherm KD StoTherm KD A ? @ 8 < V I 5 = = O < 8, 0 A B > A C 2 0

StoTherm KD C B 5 ? ; 5 = = O - sto-fasad.comsto-fasad.com/wp-content/uploads/2016/07/8157-stothermkd.pdfStoTherm KD StoTherm KD A ? @ 8 < V I 5 = = O < 8, 0 A B > A C 2 0

KD-BBTX / KD-BBRX - Welcome to Digital Connection fileKD-BBTX / KD-BBRX O perating Instructions. Page 2 Quick Set Up Guide Step 1: Begin with the KD-BBTX and all input/output devices

KD-BBTX / KD-BBRX - Welcome to Digital Connection fileKD-BBTX / KD-BBRX O perating Instructions. Page 2 Quick Set Up Guide Step 1: Begin with the KD-BBTX and all input/output devices

KD-R995BTS / KD-R990BTS / KD-R895BTS / KD-R792BT / KD ... · KD-R995BTS / KD-R990BTS / KD-R895BTS / KD-R792BT / KD-R790BT / KD-RD99BTS / KD-RD79BT / KD-R99MBS CD RECEIVER INSTRUCTION

KD-R995BTS / KD-R990BTS / KD-R895BTS / KD-R792BT / KD ... · KD-R995BTS / KD-R990BTS / KD-R895BTS / KD-R792BT / KD-R790BT / KD-RD99BTS / KD-RD79BT / KD-R99MBS CD RECEIVER INSTRUCTION

تاقاب ةزيمملا فيصلا - Kuwait Airways · Millennium Hotel Doha BB KD 74 KD 103 KD 135 KD 167 BBMövenpick West Bay KD 81 112 144 176 Doha Marriott Hotel BB KD 95 KD

تاقاب ةزيمملا فيصلا - Kuwait Airways · Millennium Hotel Doha BB KD 74 KD 103 KD 135 KD 167 BBMövenpick West Bay KD 81 112 144 176 Doha Marriott Hotel BB KD 95 KD

Z } v ] v P Z } } o t h v v ] v P > ] ] o ] ] U Z } v ] ] o ] ] v W ] o ] ] · 2020-06-15 · • o ] v ] o o Ç Æ u o Ç À µ o v o • o ] v ] o o Ç À µ o v o •> ] À ] v

Z } v ] v P Z } } o t h v v ] v P > ] ] o ] ] U Z } v ] ] o ] ] v W ] o ] ] · 2020-06-15 · • o ] v ] o o Ç Æ u o Ç À µ o v o • o ] v ] o o Ç À µ o v o •> ] À ] v