美国国防部企业 DevSecOps 参考设计中英文正式版

DoD Enterprise DevSecOps Reference Design c . 5 b u 国防部企业 DevSecOps h t i g 参考设计 Version 1.0 12 August 2019 Department of Defense (DoD) Chief Information Officer DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited 主编：唐龙译者：唐龙（1-2 章，4.1-4.2）、张晨晖（前言，附录，全文校对）、周景川（4.3-7 章）、赵庆安（3 章）排名不分先后 m o Trademark Information 商标信息 UNCLASSIFIED Names, products, and services referenced within this document may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our readers, and do not constitute or imply endorsement by the Department of any non-Federal entity, event, product, service, or enterprise. 本文档中引用的名称，产品和服务可能是其各自所有者的商标名称，商标或服务标记。对商业供应商及其产品或服务的引用，仅限于方便读者阅读，并不构成或暗示美国商务部对任何非联邦实体，事件，产品，服务或企业的认可。 m o b u c . 5 h t i g 84 UNCLASSIFIED Executive Summary 文档摘要 Legacy software acquisition and development practices in the DoD do not provide the agility to deploy new software “at the speed of operations’’. In addition, security is often an afterthought， not built in from the beginning of the lifecycle of the application and underlying infrastructure. DevSecOps is the industry best practice for rapid, secure software development. 国防部传统的软件采购和开发实践无法为部署新软件提供“以运营速度”敏捷性。此外，安全通常是后置的，而不是从应用和基础结构生命周期的开始就内置。 DevSecOps 是用于快速，安全的软件开发的行业最佳实践。 DevSecOps is an organizational software engineering culture and practice that aims at unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle: plan, develop, build, test, release, deliver, deploy, operate, and monitor. In DevSecOps, testing and security are shifted to the left through automated unit, functional, integration, and security testing this is a key DevSecOps differentiator since security and functional capabilities are tested and built simultaneously. DevSecOps 是一种组织化的软件工厂文化和实践，旨在统一软件开发（Dev），安全性（Sec）和运维（Ops）。 DevSecOps 的主要特征是在软件生命周期的所有阶段自动执行，监视和应用安全性，包括规划，开发，构建，测试，发布，交付，部署，操作和监控。在 DevSecOps 中， m o c . 5 通过自动化的单元、功能、集成和安全性测试将测试和安全性进行左移，这是 DevSecOps 的主要区别，因为安全性和功能性是同时进行测试和构建的。 The benefits of adopting DevSecOps include: 采用 DevSecOps 的收益包括： • Reduced mean-time to production: the average time it takes from when new software features are required until they are running in production; 缩短平均投产时间：从软件新功能被确认到投入生产所需的平均时间； • Increased deployment frequency: how often a new release can be deployed into the production environment; 加快部署频率：多长时间一个新的版本可以被部署到生产环境 • Fully automated risk characterization, monitoring, and mitigation across the application lifecycle; 在整个应用程序生命周期中可进行全自动的风险识别，监控和缓解； • Software updates and patching at ’’the speed of operations’’. 更快的执行软件更新和打补丁。 This DoD Enterprise DevSecOps Reference Design describes the DevSecOps lifecycle, supporting pillars, and DevSecOps ecosystem; lists the tools and activities for DevSecOps software factory and ecosystem; introduces the DoD enterprise DevSecOps container service that provides hardened DevSecOps tools and deployment templates to the program application DevSecOps teams to select; and showcases a sampling of software factory reference designs and application security operations. This DoD Enterprise DevSecOps Reference Design provides implementation and operational guidance to Information Technology (IT) capability providers, IT capability consumers, application teams, and Authorizing Officials. 此美国国防部-企业 DevSecOps 参考设计描述了 DevSecOps 的生命周期，支撑支柱和 DevSecOps 生态系统。列出了 DevSecOps 软件工厂和生态系统所需的工具和活动；介绍了美国国防部-企业 DevSecOps 容器服务，该服务向应用程序 DevSecOps 团队提供了加固的 b u h t i g DevSecOps 工具和部署模板，并展示了软件工厂参考设计和应用程序安全运维的样本。此参考设计为信息技术（IT）能力提供商，IT 能力使用者，应用团队和授权官员提供了实施和操作指南。主编：唐龙译者：唐龙（1-2 章，4.1-4.2）、张晨晖（前言，附录，全文校对）、周景川（4.3-7 章）、赵庆安（3 章）排名不分先后目录 1 2 3 Introduction 导论 ........................................................................................................................................................... 7 1.1 Background 背景............................................................................................................................................. 7 1.2 Purpose 目的 .................................................................................................................................................... 8 1.3 Scope 范围 .........................................................................................