UNCLASSIFIED CLEARED For Open Publication Sep 12, 2019 Department of Defense m o OFFICE OF PREPUBLICATION AND SECURITY REVIEW c . 5 DoD Enterprise DevSecOps Reference Design b u h t i g Version 1.0 12 August 2019 Department of Defense (DoD) Chief Information Officer DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. i UNCLASSIFIED UNCLASSIFIED Document Approvals Prepared By: signed by LAM.NGOAN.THOM Digitally LAM.NGOAN.THOMAS.1229438960 Date: 2019.09.05 11:52:32 -04'00' AS.1229438960 ________________________________________________________ Thomas Lam Acting Director of Architecture and Engineering Department of Defense, Office of the Chief Information Officer (DoD CIO) signed by CHAILLAN.NICOLAS. Digitally CHAILLAN.NICOLAS.MAXIME.153505652 4 MAXIME.1535056524 Date: 2019.09.05 12:01:37 -04'00' ________________________________________________________ Nicolas Chaillan c . 5 b u Special Advisor for Cloud Security and DevSecOps m o Department of Defense, Office the Undersecretary of Acquisition and Sustainment (A&S) h t i g (currently: Chief Software Officer, Department of Defense, United States Air Force, SAF/AQ) Approved By: signed by RANKS.PETER.TH Digitally RANKS.PETER.THOMAS.1284 OMAS.12846166 616665 Date: 2019.09.05 21:41:37 65 -04'00' ________________________________________________________ Peter Ranks Deputy Chief Information Officer for Information Enterprise (DCIO IE) Department of Defense, Office of the Chief Information Officer (DoD CIO) ii UNCLASSIFIED UNCLASSIFIED Trademark Information Names, products, and services referenced within this document may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our readers, and do not constitute or imply endorsement by the Department of any non-Federal entity, event, product, service, or enterprise. m o b u c . 5 h t i g iii UNCLASSIFIED UNCLASSIFIED Executive Summary Legacy software acquisition and development practices in the DoD do not provide the agility to deploy new software “at the speed of operations”. In addition, security is often an afterthought, not built in from the beginning of the lifecycle of the application and underlying infrastructure. DevSecOps is the industry best practice for rapid, secure software development. DevSecOps is an organizational software engineering culture and practice that aims at unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle: plan, develop, build, test, release, deliver, deploy, operate, and monitor. In DevSecOps, testing and security are shifted to the left through automated unit, functional, integration, and security testing - this is a key DevSecOps differentiator since security and functional capabilities are tested and built simultaneously. m o The benefits of adopting DevSecOps include: • • • • c . 5 Reduced mean-time to production: the average time it takes from when new software features are required until they are running in production; Increased deployment frequency: how often a new release can be deployed into the production environment; Fully automated risk characterization, monitoring, and mitigation across the application lifecycle; Software updates and patching at "the speed of operations". b u h t i g This DoD Enterprise DevSecOps Reference Design describes the DevSecOps lifecycle, supporting pillars, and DevSecOps ecosystem; lists the tools and activities for DevSecOps software factory and ecosystem; introduces the DoD enterprise DevSecOps container service that provides hardened DevSecOps tools and deployment templates to the program application DevSecOps teams to select; and showcases a sampling of software factory reference designs and application security operations. This DoD Enterprise DevSecOps Reference Design provides implementation and operational guidance to Information Technology (IT) capability providers, IT capability consumers, application teams, and Authorizing Officials. iv UNCLASSIFIED UNCLASSIFIED Table of Contents 1 2 3 Introduction ......................................................................................................................... 10 1.1 Background .....................................................................