没有合适的资源?快使用搜索试试~ 我知道了~
首页DoD Enterprise DevSecOps Reference Design
资源详情
资源评论
资源推荐
UNCLASSIFIED
i
UNCLASSIFIED
DoD Enterprise DevSecOps
Reference Design
Version 1.0
12 August 2019
Department of Defense (DoD)
Chief Information Officer
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
CLEARED
For Open Publication
Department of Defense
OFFICE OF PREPUBLICATION AND SECURITY REVIEW
Sep 12, 2019
UNCLASSIFIED
ii
UNCLASSIFIED
Document Approvals
Prepared By:
________________________________________________________
Thomas Lam
Acting Director of Architecture and Engineering
Department of Defense, Office of the Chief Information Officer (DoD CIO)
________________________________________________________
Nicolas Chaillan
Special Advisor for Cloud Security and DevSecOps
Department of Defense, Office the Undersecretary of Acquisition and Sustainment (A&S)
(currently: Chief Software Officer, Department of Defense, United States Air Force, SAF/AQ)
Approved By:
________________________________________________________
Peter Ranks
Deputy Chief Information Officer for Information Enterprise (DCIO IE)
Department of Defense, Office of the Chief Information Officer (DoD CIO)
LAM.NGOAN.THOM
AS.1229438960
Digitally signed by
LAM.NGOAN.THOMAS.1229438960
Date: 2019.09.05 11:52:32 -04'00'
CHAILLAN.NICOLAS.
MAXIME.1535056524
Digitally signed by
CHAILLAN.NICOLAS.MAXIME.153505652
4
Date: 2019.09.05 12:01:37 -04'00'
RANKS.PETER.TH
OMAS.12846166
65
Digitally signed by
RANKS.PETER.THOMAS.1284
616665
Date: 2019.09.05 21:41:37
-04'00'
UNCLASSIFIED
iii
UNCLASSIFIED
Trademark Information
Names, products, and services referenced within this document may be the trade names,
trademarks, or service marks of their respective owners. References to commercial vendors and
their products or services are provided strictly as a convenience to our readers, and do not
constitute or imply endorsement by the Department of any non-Federal entity, event, product,
service, or enterprise.
UNCLASSIFIED
iv
UNCLASSIFIED
Executive Summary
Legacy software acquisition and development practices in the DoD do not provide the agility to
deploy new software “at the speed of operations”. In addition, security is often an afterthought,
not built in from the beginning of the lifecycle of the application and underlying infrastructure.
DevSecOps is the industry best practice for rapid, secure software development.
DevSecOps is an organizational software engineering culture and practice that aims at unifying
software development (Dev), security (Sec) and operations (Ops). The main characteristic of
DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle:
plan, develop, build, test, release, deliver, deploy, operate, and monitor. In DevSecOps, testing
and security are shifted to the left through automated unit, functional, integration, and security
testing - this is a key DevSecOps differentiator since security and functional capabilities are
tested and built simultaneously.
The benefits of adopting DevSecOps include:
• Reduced mean-time to production: the average time it takes from when new software
features are required until they are running in production;
• Increased deployment frequency: how often a new release can be deployed into the
production environment;
• Fully automated risk characterization, monitoring, and mitigation across the application
lifecycle;
• Software updates and patching at "the speed of operations".
This DoD Enterprise DevSecOps Reference Design describes the DevSecOps lifecycle,
supporting pillars, and DevSecOps ecosystem; lists the tools and activities for DevSecOps
software factory and ecosystem; introduces the DoD enterprise DevSecOps container service that
provides hardened DevSecOps tools and deployment templates to the program application
DevSecOps teams to select; and showcases a sampling of software factory reference designs and
application security operations. This DoD Enterprise DevSecOps Reference Design provides
implementation and operational guidance to Information Technology (IT) capability providers,
IT capability consumers, application teams, and Authorizing Officials.
UNCLASSIFIED
v
UNCLASSIFIED
Table of Contents
1 Introduction ......................................................................................................................... 10
1.1 Background ................................................................................................................... 10
1.2 Purpose .......................................................................................................................... 11
1.3 Scope .............................................................................................................................. 11
1.4 Document Overview ..................................................................................................... 12
2 Assumptions and Principles ................................................................................................ 13
2.1 Assumptions .................................................................................................................. 13
2.2 Principles ....................................................................................................................... 13
3 DevSecOps Concepts ........................................................................................................... 15
3.1 Key Terms ..................................................................................................................... 15
3.1.1 Conceptual Model ................................................................................................... 18
3.2 DevSecOps Lifecycle .................................................................................................... 18
3.3 DevSecOps Pillars ........................................................................................................ 19
3.3.1 Organization ............................................................................................................ 20
3.3.2 Process .................................................................................................................... 21
3.3.3 Technology ............................................................................................................. 23
3.3.4 Governance ............................................................................................................. 23
3.3.4.1 Management Structure ..................................................................................... 23
3.3.4.2 Authorizing Official ........................................................................................ 25
3.4 DevSecOps Ecosystem.................................................................................................. 26
3.4.1 Planning .................................................................................................................. 27
3.4.2 Software Factory ..................................................................................................... 28
3.4.3 Operations ............................................................................................................... 29
3.4.4 External Systems ..................................................................................................... 29
4 DevSecOps Tools and Activities ......................................................................................... 31
4.1 Planning Tools and Activities ...................................................................................... 31
4.2 Software Factory Tools and Activities ....................................................................... 34
剩余88页未读,继续阅读
无穷之路
- 粉丝: 9
- 资源: 4
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
- SPC统计方法基础知识.pptx
- MW全能培训汽轮机调节保安系统PPT教学课件.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0