Successfully reported this slideshow.
Your SlideShare is downloading. ×

FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative - Nicolas Chaillan, Chief Software Officer, U.S. Air Force

Ad

I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Headquarters U.S. Air Force
Mr. Nicolas Chaillan
Chief Software Of...

Ad

I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Problem Statement
n What is DevSecOps?
n The software automated to...

Ad

I n t e g r i t y - S e r v i c e - E x c e l l e n c e
From Waterfall to DevSecOps
3

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 23 Ad
1 of 23 Ad
Advertisement

More Related Content

Slideshows for you (19)

Similar to FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative - Nicolas Chaillan, Chief Software Officer, U.S. Air Force (20)

Advertisement

More from scoopnewsgroup (20)

Advertisement

FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative - Nicolas Chaillan, Chief Software Officer, U.S. Air Force

  1. 1. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S. Air Force Mr. Nicolas Chaillan Chief Software Officer, U.S. Air Force Co-Lead, DoD Enterprise DevSecOps Initiative v1.1 – Unclassified DoD Enterprise DevSecOps Initiative (Software Factory)
  2. 2. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Problem Statement n What is DevSecOps? n The software automated tools, services, and standards that enable programs to develop, secure, deploy, and operate applications in a secure, flexible and interoperable fashion. n Why should I care? n Software and cybersecurity pervades all aspects of DoD's mission (from business systems to weapons systems to Artificial Intelligence to cybersecurity to space) - establishing DevSecOps capabilities will: n Deliver applications rapidly and in a secure manner, increasing the warfighters competitive advantage n Bake-in and enforce cybersecurity functions and policy from inception through operations n Enhance enterprise visibility of development activities and reduce accreditation timelines n Ensure seamless application portability across enterprise, Cloud and disconnected, intermittent and classified environments n Drive DoD transformation to Agile and Lean Software Development and Delivery n Leveraging industry acquisition best practices combined with centralized contract vehicle for DevSecOps tools and services will enable rapid prototyping, real-time deployments and scalability. n We cannot be left behind: China, Russia and North Korea are already massively implementing DevOps.
  3. 3. I n t e g r i t y - S e r v i c e - E x c e l l e n c e From Waterfall to DevSecOps 3
  4. 4. I n t e g r i t y - S e r v i c e - E x c e l l e n c e What is the DoD Enterprise DevSecOps Initiative? n Joint Program with OUSD(A&S), DoD CIO, U.S. Air Force, DISA and the Military Services. n Technology: n Selecting, certifying, and packaging best of breed development tools and services (over 100 options) n Creating the Sidecar Container Security Stack (SCSS) for baked-in zero trust security n Creating a Centralized artifacts repository of hardened and centrally authorized containers n Designing a Scalable Microservices Architecture with Service Mesh/API Gateway and baked-in security n Providing on-boarding and support for adoption of Agile and DevSecOps n Developing best-practices, training, and support for pathfinding and related activities n Standardizing metrics and define acceptable thresholds for continuous ATO n Working with DAU to bring state of the art DevSecOps curriculum n Creating new contracting language to enable and incentivize the use of Agile and DevSecOps 4
  5. 5. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Value for DoD Programs (1) n Enables any DoD Program across DoD Services deploy a DoD hardened Software Factory, on their existing or new environments (including classified, disconnected and Clouds), within days instead of a year. Tremendous cost and time savings. n Multiple DevSecOps pipeline exemplars are available with various options to avoid vendor lock-in and enable true DoD-scale as there is not a one-size-fit-all for CI/CD. n Enables rapid prototyping (in days and not months or years) for any Business, C4ISR and Weapons system. Deployment in PRODUCTION! n Enables learning and continuous feedback from actual end-users (warfighters). 5
  6. 6. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Value for DoD Programs (2) n Enables bug and security fixes in minutes instead of weeks/months. n Enables automated testing and security. n Enables continuous Authorization to Operate (ATO) process for rapid deployment and scalability. Authorize ONCE, use MANY times! n Brings a holistic and baked-in cybersecurity stack, gaining complete visibility of all assets, software security state and infrastructure as code. n Microservices Architecture to facilitate the adoption of microservices. n Deployed on any environment, including DoD-approved Cloud and Jedi (when available). 6
  7. 7. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DoD Enterprise DevSecOps Technology n Create and Maintain DevSecOps pipelines (and not just DevOps) to avoid each DoD services building their own stack and reinventing the wheel. n Create hardened Container images in a dedicated artifacts repository with security built-in and compliance with FedRAMP/NIST (similar to gold images concept). n Create a Microservice Service Architecture with Service Mesh (ISTIO). n Standardize metrics and define acceptable thresholds for test coverage, security, documentation etc. to enable complete continuous deployment with pre-ATO embedded. n Leverage Kubernetes for Orchestration to ensure automation, rolling-update, scale, security and visibility thanks to the sidecar security container concept. 7
  8. 8. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Cloud One: new Air Force Cloud Offering n Former Common Computing Environment (CCE), PEO C3I&N n Cloud One provides: n Access to AWS GovCloud and Azure Government on: n Impact Level (IL) 2, 4 and 5, today n IL 6 and Secret SAP (C2S) within December 2019 n Cybersecurity Services (CSSP) baked-in n Cloud Access Point (CAP) and/or Global Content Delivery Service (GCDS) baked-in n Single Sign On n Zero Trust model n Pay per use scalable model (pay for your compute, storage and shared services), as easy as MIPRing money. n Enables instantiation of DevSecOps environment in your dedicated VPCs (Development VPC with internet access (including at IL5) and Production VPC) in days with Continuous ATO and full DoD-wide reciprocity. n Building new multi-award contract vehicles to buy licenses, services (including consultants, FTEs etc.) and Clouds services in bulk (by December 2019). 8
  9. 9. I n t e g r i t y - S e r v i c e - E x c e l l e n c e LevelUP: new centralized Air Force Software Factory Team n Merged with top talent across U.S. Air Force from various Factories (Kessel Run, Kobayoshi Maru SpaceCAMP and Unified Platform). n Manages Software Factories for Development teams so they can focus on building mission applications. n Decouples Development Teams from Factory teams with DevSecOps and Site Reliability Engineer (SRE) expertise. n Helps instantiate DevSecOps CI/CD pipeline / Software Factories in days at various classification levels. n Leverages the DoD hardened containers while avoiding one-size-fits-all architectures. n Fully compliant with the DoD Enterprise DevSecOps Initiative (DSOP) with DoD-wide reciprocity. n Centralizing the Container Hardening of 172 enterprise containers (databases, development tools, CI/CD tools, cybersecurity tools etc.). n Launching Software Enterprise Services (within 90 days for first chat tools) with Collaboration tools, Cybersecurity tools, Source code repositories, Artifact repositories, Development tools, DevSecOps as a Service, Chats etc. These services will be MANAGED services on Cloud One by our SRE team so development teams can simply USE those tools and pay per use at scale with bulk licenses. 9
  10. 10. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DoD Enterprise DevSecOps Architecture
  11. 11. STORE ARTIFACTS SCALE MONITOR SECURE TEST BUILD “Continuous Integration & Continuous Delivery” Orchestration DoD Enterprise DevSecOps Technology Stack (Exemplar) PLAN & DEVELOP DEPLOY & OPERATE Container and Container Management
  12. 12. Bare-metal, GovCloud, AWS Secret, Azure Secret, mil Cloud, C2S, Jedi…*** Elasticsearch DoD Enterprise DevSecOps Platform** 12 DoD Enterprise DevSecOps Architecture* DevSecOps CI/CD pipeline** Kubernetes Optional Abstraction Layer with Red Hat OpenShift or Pivotal Container Service Artifacts Repository** Security Side Car Container** Centralized DoD Enterprise DevSecOps Artifacts Repository Continuously Hardens Docker Public Images and Assesses Open Source Libraries pulls pulls Program Source code repository Application / Microservices built by DoD Programs. pulls *each DoD Program can have its own instantiation of the DoD Enterprise DevSecOps Platform on any Cloud. ** can be installed with single command and deployed on any Cloud. *** could be deployed inside an enclave or on- premises **** gives complete visibilities of assets, security/vulnerability state etc. can be integrated to existing cybersecurity shared services. DoD OCIO/DISA Centralized Logs/Telemetry****Fluentd Real- time pushes Per DoD Service for Service-wide Visibility Logs/Telemetry**** pulls pulls Microservices Architecture (ISTIO)
  13. 13. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Microservices Architecture (ISTIO) 13 n Design a Service Mesh (ISTIO) architecture n ISTIO side car proxy, baked-in security, with visibility across containers, by default, without any developer interaction or code change n Benefits: n API Management, service discovery, authentication… n Dynamic request routing for A/B testing, gradual rollouts, canary releases, resilience, observability, retries, circuit breakers and fault injection n Layer 7 Load balancing n Zero Trust model: East/West Traffic Whitelisting, ACL, RBAC… n TLS encryption by default, Key management, signing…
  14. 14. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Platform Stack (continuously evolving)
  15. 15. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (1) 15 Source Repository GitHub Government GitLab Container Management technologies: Kubernetes Openshift PKS Helm OKD API Gateways Kong Azure API AWS API Axway 3Scale Apigee ISTIO (service mesh) Artifacts Artifactory Nexus Maven Archiva S3 bucket Programming Languages C/C++ C#/.NET .NET Core Java PHP Python Groovy Ruby R Rust Scala Perl Go Node.JS Swift Databases SQL Server MySQL PostgreSQL MongoDB SQLite Redis Elasticsearch Oracle etcd Hadoop/HDInsight Cloudera Oracle Big Data Solr Neo4J Memcached Cassandra MariaDB CouchDB InfluxDB (time)
  16. 16. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (2) 16 Message bus/Streams Kafka Flink Nats RabbitMQ ActiveMQ Proxy Oauth2 proxy nginx ldap auth proxy openldap HA Proxy Visualization Tableau Kibana Logs Logstash Splunk Forwarder Fluentd Syslogd Filebeat rsyslog Webservers Apache2 Nginx IIS Lighttpd Tomcat Docker base images OS: Alpine Busybox Ubuntu Centos Debian Fedora Universal Base Image Serverless Knative
  17. 17. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (3) 17 Build MSBuild CMake Maven Gradle Apache Ant Tests suite Cucumber J-Unit Selenium TestingWhiz Watir Sahi Zephyr Vagrant AppVerify nosetests SoapUI LeanFT Test coverage JaCoCo Emma Cobertura codecov CI/CD Orchestration Jenkins (open source) CloudBees Jenkins GitLab Jenkins plugins Dozens (Need to verify security). Configuration Management / Delivery Puppet Chef Ansible Saltstack Security Tenable / Nessus Agents Fortify Twistlock Aqua SonarQBE Qualys StackRox Aporeto Snort OWASP ZAP Contrast Security OpenVAS Metasploit ThreadFix pylint JFrog Xray OpenSCAP (can check against DISA STIG) OpenControl for compliance documentation Security (2) Snyk Code Climate AJAX Spider Tanaguru (508 compliance) InSpec OWASP Dependency-Check Burp HBSS Anchore Checkmarx SD Elements Clair Docker Bench Security Notary Sysdig Layered Insight BlackDuck Nexus IQ/Lifecycle/Firewall
  18. 18. I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (4) 18 Monitoring Sensu EFK (Elasticsearch, Fluentd, Kibana) Splunk Nagios New Relic Sentry Promotheus Grafana Kiali Collaboration Rocket.Chat Matter.Most PagerDuty Plan Jira Confluence Rally Redmine Pivotal Tracker Secrets Kubernetes Secrets Vault Credentials (Jenkins) CryptoMove SSO Keycloak Documentation Javadoc RDoc Sphinx Doxygen Cucumber phpDocumentator Pydoc Performance Apache AB Jmeter LoadRunner
  19. 19. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Legacy to DevSecOps => Strangler Pattern n Martin Fowler describes the Strangler Application: n One of the natural wonders of this area are the huge strangler vines. They seed in the upper branches of a fig tree and gradually work their way down the tree until they root in the soil. Over many years they grow into fantastic and beautiful shapes, meanwhile strangling and killing the tree that was their host. n To get there, the following steps were followed: n First, add a proxy, which sits between the legacy application and the user. Initially, this proxy doesn’t do anything but pass all traffic, unmodified, to the application. n Then, add new service (with its own database(s) and other supporting infrastructure) and link it to the proxy. Implement the first new page in this service. Then allow the proxy to serve traffic to that page (see below). n Add more pages, more functionality and potentially more services. Open up the proxy to the new pages and services. Repeat until all required functionality is handled by the new stack. n The monolith no longer serves traffic and can be switched off. n Learn more: https://www.ibm.com/developerworks/cloud/library/cl-strangler-application-pattern- microservices-apps-trs/index.html and https://www.michielrook.nl/2016/11/strangler-pattern-practice/ 19
  20. 20. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (1) n Recommended Videos (Part 1) n Watch our playlists, available at different expertise levels and continuously augmented! n Kafka / KSQL (message bus, pub/sub, event driven): n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlzz0zt03Ludtid7icrXBesg n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxxXX0oCzt7laO6mD61UIQw n Advanced: N/A n Kubernetes n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlydFzQzkYYDdQK7k5cEKubQ n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlx8dSFH_jFLK40Tt7KUXTN_ n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlytdAJiVqbHucWOvn5LrTNW 20
  21. 21. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (2) n Recommended Videos (Part 2) n Watch our playlists, available at different expertise levels and continuously augmented! n Service Mesh n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxtC4rDIMQ8QiG5UBCjz7VH n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlwWK_Y_Cas8Nyw-DsdbH6vl n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlx8VW2MFONMRwS_-2rSJwdn n Microservices n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlz_U2_RaONTGYLkz0lh-A_L n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxqjuAXxoRMjvspaEE8L2cB n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlw4CF4F4t3gVV3j0512CMsu 21
  22. 22. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (3) n Recommended Books n A Seat at the Table – by Mark Schwartz (former CIO of USCIS, leader in Agile) This book is highly recommended for ALL leadership as it is not technical but focused on the challenges around business, procurement and how leadership can enable DevOps across the organization and remove impediments. n The Phoenix Project – by the founders of DevOps n The DevOps Handbook – by Gene Kim, Patrick Debois. For those who drive to work like me (for hours), please note that these books are available as Audiobooks. 22
  23. 23. I n t e g r i t y - S e r v i c e - E x c e l l e n c e Thank You! Nicolas Chaillan Chief Software Officer, U.S. Air Force usaf.cso@mail.mil

×