Uploaded byscoopnewsgroup
PDF, PPTX4,409 views

DevSecOps: The DoD Software Factory

The document discusses the Department of Defense's Enterprise DevSecOps Initiative. It aims to modernize DoD software development practices by transitioning from waterfall to agile methodologies using DevSecOps. Key aspects of the initiative include adopting containers and microservices, creating a centralized container registry, implementing zero-trust security, providing scalable cloud infrastructure and platform services, and training over 100,000 people in DevSecOps practices. The initiative is a joint program between several DoD organizations to help programs rapidly develop and deploy secure software.

Embed presentation

Download as PDF, PPTX
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S. Air Force Mr. Nicolas Chaillan Chief Software Officer, U.S. Air Force Co-Lead, DoD Enterprise DevSecOps Initiative v1.5 – UNCLASSFIED DoD Enterprise DevSecOps Initiative (Software Factory)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Problem Statement n The Department of Defense (DoD) is mostly still using Waterfall software methodologies with software delivery every 3 to 10 years, making it impossible to keep up with the pace of technology. n The DoD Authority to Operate (ATO) process to accredit software takes on average 8 months and is mostly manual with several testing and cybersecurity gates. n Most of the Defense Industrial Base (DIB) (the DoD contractors and developers) has not adopted an Agile and/or DevOps mindset. n Massive organization with large silos and large workforce. n Limited IT enterprise services, Cloud access and high speed connectivity. 3
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 5 Must Rapidly Adapt To Challenges
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 6 Must Adapt To Challenges Work as a Team!
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 7 Must Adapt To Challenges Work as a Team! A Large Team!
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 8 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 9 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us!
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 10 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us! To Space!
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 11 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us! To Space! With a Few Sensors!
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 12 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us! To Space! With a Few Sensors! With their Help!
I n t e g r i t y - S e r v i c e - E x c e l l e n c e What is the DoD Enterprise DevSecOps Initiative? n Joint Program with OUSD(A&S), DoD CIO, U.S. Air Force, DISA and the Military Services. n Technology: n Avoid vendor lock-in at the Infrastructure and Platform Layer by leveraging FOSS with Kubernetes and OCI containers, n Creating the DoD Centralized Artifacts Repository (DCAR) of hardened and centrally accredited containers: selecting, certifying, and securing best of breed development tools and software capabilities (over 170+ containers) - https://dccscr.dsop.io/dsop/ and https://dcar.dsop.io n Baked-in Zero Trust Security with our Sidecar Container Security Stack (SCSS) leveraging behavior detection, zero trust down to the container/function level. n Leveraging a Scalable Microservices Architecture with Service Mesh/API Gateway and baked-in security (Istio) n Leveraging KNative to avoid lock-in to Cloud provider Serverless stacks n Bringing Enterprise IT Capabilities with Cloud One and Platform One – Cloud and DevSecOps as Managed Services capabilities, on-boarding and support! n Standardizing metrics and define acceptable thresholds for DoD-wide continuous Authority to Operate n Massive Scale Training with Self Learning Capabilities (train over 100K people within a year) and bring state of the art DevSecOps curriculum n Creating new Agile contracting language to enable and incentivize the use of DevSecOps 13
I n t e g r i t y - S e r v i c e - E x c e l l e n c e From Waterfall to DevSecOps 14
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Value for DoD Programs n Enables any DoD Program across DoD Services deploy a DoD hardened Software Factory, on their existing or new environments (including classified, disconnected and Clouds), within days instead of a year. Tremendous cost and time savings. n Multiple DevSecOps pipelines are available with various options (no one-size-fits-all) n Enables rapid prototyping (in days and not months or years) for any Business, C4ISR and Weapons system. Deployment in PRODUCTION! n Enables learning and continuous feedback from actual end-users (warfighters). n Enables bug and security fixes in minutes instead of weeks/months. n Enables automated testing and security. n Enables continuous Authorization to Operate (c-ATO) process. Authorize ONCE, use MANY times! n Brings a holistic and baked-in cybersecurity stack, gaining complete visibility of all assets, software security state and infrastructure as code. 15
I n t e g r i t y - S e r v i c e - E x c e l l e n c e “Cloud One” vs “Platform One by LevelUP” n Cloud One: n Centralized team to provide Cloud Infrastructure with baked-in security to DoD programs. Think of it as the Infrastructure team with baked-in security, CSSP and Authority to Operate (ATO). n Platform One by LevelUP: n Centralized team to provide DevSecOps/Software Factory with baked-in security to DoD Programs. Think of it as the Platform Team with the ability to deploy a DevSecOps (Kubernetes compliant) Platform and CI/CD pipeline with a Continuous ATO (c-ATO). You select from accredited tools to accelerate your ability to focus on delivering mission capabilities. 16
I n t e g r i t y - S e r v i c e - E x c e l l e n c e YOU Understanding the DevSecOps Layers Cloud One Platform One ContinuousMonitoring LeveragestheSidecarContainerSecurityStack CNCF compliant Kubernetes (K8S) Includes Site Reliability Engineers (SREs) etc. Development Team selects between approved K8S stacks Fully containerized, leverages DoD approved containers from DCAR Development Team selects tools from 172 approved containers or custom containers Brings baked-in security and Microservices architecture enablement Development Teams can build software/microservices leveraging hardened containers Infrastructure Layer Platform Layer Continuous Integration / Continuous Delivery (CI/CD) Layer Service Mesh Layer Application Layer
STORE ARTIFACTS SCALE MONITOR SECURE TEST BUILD “Continuous Integration & Continuous Delivery” Orchestration DoD Enterprise DevSecOps Technology Stack (Exemplar) PLAN & DEVELOP DEPLOY & OPERATE Container and Container Management
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Cloud One n Air Force Cloud Office with turnkey access to AWS GovCloud and Azure Government at IL2, 4 and 5. IL6 available by December 2019. n Simple “Pay per use” model with ability to instantiate your own Development and Production VPCs at various Impact Levels within days with full compliance/security and a baked-in ATO. n Enterprise Solution: we provide the guardrails to the cloud in a standard manner so you can focus on your mission n Fully Automated: All environmental stand-up is managed by Infrastructure as Code, drastically speeding up deployment, reducing manual work, and human error n Centralized Identities and Single-Sign-On (SSO): one login across the Cloud stack n Internet facing Cloud based VPN to connect to IL5 enclaves with a Virtual Internet Access Point (coming within January 2020). n DevSecOps Focused: secure, mission driven deployments are built into the framework to ensure self-service and seamless deployments. Leverages Zero Trust model. n Proactive Scaling and System Monitoring: Mission Owners can see all operational metrics and provide rules and alerts to manage each mission their way n Accreditation Inheritance has been identified in the AF-Cloud One eMASS accounts (AWS & Azure) to include inheritance from the CSP, USAF, DoD and CSSP. All that’s left for the mission is the controls that are unique to them. 19
I n t e g r i t y - S e r v i c e - E x c e l l e n c e “Platform One by LevelUP” The Air Force Software Factory Team n Merged top talent across U.S. Air Force from various Factories (Kessel Run, SpaceCAMP and UP. n Helps instantiate DevSecOps CI/CD pipelines / Software Factories within days at various classification levels. n Manages Software Factories for Development teams so they can focus on building mission applications. n Provides Blanket Purchase Agreement (BPA) DoD-wide DevSecOps contracts for Cloud Service, Talent and Licenses. Enables awards every 15/30 days with bulk discounts. n Decouples Development Teams from Factory teams with DevSecOps and Site Reliability Engineer (SRE) expertise. n Partners with Cloud One to provide IL2, 4, 5 and 6 access but also uses C2S/SC2S and various on-premise environments! n Self-learning and training capabilities to enable teams move to Scrum/Kanban/eXtreme Programming (XP) Agile practices. n Leverages the DoD hardened containers while avoiding one-size-fits-all architectures. n Fully compliant with the DoD Enterprise DevSecOps Initiative (DSOP) with DoD-wide reciprocity and an ATO. Leverages Zero Trust model. n Hardens the 172 DoD enterprise containers (databases, development tools, CI/CD tools, cybersecurity tools etc.). n Provides Software Enterprise Services with Collaboration tools, Cybersecurity tools, Source code repositories, Artifact repositories, Development tools, DevSecOps as a Service, Chats etc. These services will be MANAGED services on Cloud One. 20
I n t e g r i t y - S e r v i c e - E x c e l l e n c e “Platform One by LevelUP” Managed Services “A La Carte” n Hardened Containers Options n Delivery of hardened enterprise containers with accreditation reciprocity (existing containers only). n Delivery of custom hardened containers as needed. n Continuous Integration / Continuous Delivery (CI/CD) Options n Delivery of existing hardened Kubernetes/OpenShift/PKS playbooks (full Infrastructure as Code). n Delivery of a turnkey CI/CD pipeline (Software Factory) with complete « Infrastructure as Code » to instantiate on any environment (development teams picks the tools from the approved hardened containers) on various classified/unclassified environment. n Training/On-Boarding Options n 1-day training Session: introduction to DevSecOps. Overview and understanding of the vision and activities. n A 3 day introduction to LevelUP DevSecOps tech stack. Hands on code and User-Centered Design (UCD) to deploy your first demo app to production. n A several week full on-boarding, that concludes with an MVP ready for production. n A several month full on-boarding, that concludes with your platform team being able to support your own DevSecOps applications for development and production. n Customized training options (both at our locations or on your premises). n Contracting Support Options n Ability to leverage the DevSecOps BOAs (Cloud Services, Talent and Licenses). n Enable access to DevSecOps engineers/SREs Full-Time-Equivalent (FTEs) (Medics/Counselors) to assist Programs. 21
I n t e g r i t y - S e r v i c e - E x c e l l e n c e DoD Enterprise DevSecOps Architecture
Bare-metal, GovCloud, AWS Secret, Azure Secret, mil Cloud, C2S, Jedi…*** Elasticsearch DoD Enterprise DevSecOps Platform** 23 DoD Enterprise DevSecOps Architecture* DevSecOps CI/CD pipeline** Kubernetes Optional Abstraction Layer with Red Hat OpenShift or PKS or CNCF compliant Kubernetes Product Artifacts Repository** Sidecar Container Security Stack Centralized DoD Enterprise DevSecOps Artifacts Repository Continuously Hardens Docker Public Images and Assesses Open Source Libraries pulls pulls Program Source code repository Application / Microservices built by DoD Programs. pulls *each DoD Program can have its own instantiation of the DoD Enterprise DevSecOps Platform on any Cloud. ** can be installed with single command and deployed on any Cloud. *** could be deployed inside an enclave or on- premises **** gives complete visibilities of assets, security/vulnerability state etc. can be integrated to existing cybersecurity shared services. DoD OCIO/DISA Centralized Logs/Telemetry****Fluentd Real- time pushes Per DoD Service for Service-wide Visibility Logs/Telemetry**** pulls pulls Microservices Architecture (ISTIO)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Microservices Architecture (ISTIO) 24 n Turnkey Service Mesh (ISTIO) architecture n ISTIO side car proxy, baked-in security, with visibility across containers, by default, without any developer interaction or code change n Benefits: n API Management, service discovery, authentication… n Dynamic request routing for A/B testing, gradual rollouts, canary releases, resilience, observability, retries, circuit breakers and fault injection n Layer 7 Load balancing n Zero Trust model: East/West Traffic Whitelisting, ACL, RBAC… n TLS encryption by default, Key management, signing…
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Sidecar Container Security Stack n Baked-in Zero Trust security down to the Container/Function level with Istio (Envoy) and Knative. n Centralized logging and telemetry with Elasticsearch, Fluentd, Kibana (EFK). n Container security: Continuous Scanning, Alerting, CVE scanning, Behavior detection both in development and production (Build, Registry, Runtime) with Twistlock n Container security and insider threat (custom policies detecting unapproved changes to Dockerfiles) with Anchore n Automated STIG compliance with OpenSCAP 25
I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Platform Stack (continuously evolving)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (1) 27 Source Repository GitHub Government GitLab Container Management technologies: Kubernetes Openshift VMWare Tanzu PKS OKD Rancher (K8S only) D2IQ (K8S only) Docker EE (K8S only) Container Packagers: Helm Kubernetes Operators API Gateways Kong Azure API AWS API Axway 3Scale Apigee ISTIO (service mesh) Artifacts Artifactory Nexus Maven Archiva S3 bucket Programming Languages C/C++ C#/.NET .NET Core Java PHP Python Groovy Ruby R Rust Scala Perl Go Node.JS Swift Databases SQL Server MySQL PostgreSQL MongoDB SQLite Redis Elasticsearch Oracle etcd Hadoop/HDInsight Cloudera Oracle Big Data Solr Neo4J Memcached Cassandra MariaDB CouchDB InfluxDB (time)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (2) 28 Message bus/Streams Kafka Flink Nats RabbitMQ ActiveMQ Proxy Oauth2 proxy nginx ldap auth proxy openldap HA Proxy Visualization Tableau Kibana Logs Logstash Splunk Forwarder Fluentd Syslogd Filebeat rsyslog Webservers Apache2 Nginx IIS Lighttpd Tomcat Docker base images OS: Alpine Busybox Ubuntu Centos Debian Fedora Universal Base Image Serverless Knative
I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (3) 29 Build MSBuild CMake Maven Gradle Apache Ant Tests suite Cucumber J-Unit Selenium TestingWhiz Watir Sahi Zephyr Vagrant AppVerify nosetests SoapUI LeanFT Test coverage JaCoCo Emma Cobertura codecov CI/CD Orchestration Jenkins (open source) CloudBees Jenkins GitLab Jenkins plugins Dozens (Need to verify security). Configuration Management / Delivery Puppet Chef Ansible Saltstack Security Tenable / Nessus Agents Fortify Twistlock Aqua SonarQBE Qualys StackRox Aporeto Snort OWASP ZAP Contrast Security OpenVAS Metasploit ThreadFix pylint JFrog Xray OpenSCAP (can check against DISA STIG) OpenControl for compliance documentation Security (2) Snyk Code Climate AJAX Spider Tanaguru (508 compliance) InSpec OWASP Dependency-Check Burp HBSS Anchore Checkmarx SD Elements Clair Docker Bench Security Notary Sysdig Layered Insight BlackDuck Nexus IQ/Lifecycle/Firewall
I n t e g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (4) 30 Monitoring Sensu EFK (Elasticsearch, Fluentd, Kibana) Splunk Nagios New Relic Sentry Promotheus Grafana Kiali Collaboration Rocket.Chat Matter.Most PagerDuty Plan Jira Confluence Rally Redmine Pivotal Tracker Secrets Kubernetes Secrets Vault Credentials (Jenkins) CryptoMove SSO Keycloak Documentation Javadoc RDoc Sphinx Doxygen Cucumber phpDocumentator Pydoc Performance Apache AB Jmeter LoadRunner
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Legacy to DevSecOps => Strangler Pattern n Martin Fowler describes the Strangler Application: n One of the natural wonders of this area are the huge strangler vines. They seed in the upper branches of a fig tree and gradually work their way down the tree until they root in the soil. Over many years they grow into fantastic and beautiful shapes, meanwhile strangling and killing the tree that was their host. n To get there, the following steps were followed: n First, add a proxy, which sits between the legacy application and the user. Initially, this proxy doesn’t do anything but pass all traffic, unmodified, to the application. n Then, add new service (with its own database(s) and other supporting infrastructure) and link it to the proxy. Implement the first new page in this service. Then allow the proxy to serve traffic to that page (see below). n Add more pages, more functionality and potentially more services. Open up the proxy to the new pages and services. Repeat until all required functionality is handled by the new stack. n The monolith no longer serves traffic and can be switched off. n Learn more: https://www.ibm.com/developerworks/cloud/library/cl-strangler-application-pattern- microservices-apps-trs/index.html and https://www.michielrook.nl/2016/11/strangler-pattern-practice/ 31
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (1) n Recommended Videos (Part 1) n Watch our playlists, available at different expertise levels and continuously augmented! n Kafka / KSQL (message bus, pub/sub, event driven): n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlzz0zt03Ludtid7icrXBesg n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxxXX0oCzt7laO6mD61UIQw n Advanced: N/A n Kubernetes n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlydFzQzkYYDdQK7k5cEKubQ n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlx8dSFH_jFLK40Tt7KUXTN_ n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlytdAJiVqbHucWOvn5LrTNW 32
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (2) n Recommended Videos (Part 2) n Watch our playlists, available at different expertise levels and continuously augmented! n Service Mesh n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxtC4rDIMQ8QiG5UBCjz7VH n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlwWK_Y_Cas8Nyw-DsdbH6vl n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlx8VW2MFONMRwS_-2rSJwdn n Microservices n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlz_U2_RaONTGYLkz0lh-A_L n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxqjuAXxoRMjvspaEE8L2cB n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlw4CF4F4t3gVV3j0512CMsu 33
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (3) n Recommended Books n A Seat at the Table – by Mark Schwartz (former CIO of USCIS, leader in Agile) This book is highly recommended for ALL leadership as it is not technical but focused on the challenges around business, procurement and how leadership can enable DevOps across the organization and remove impediments. n The Phoenix Project – by the founders of DevOps n The DevOps Handbook – by Gene Kim, Patrick Debois. For those who drive to work like me (for hours), please note that these books are available as Audiobooks. 34
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Thank You! Nicolas Chaillan Chief Software Officer, U.S. Air Force usaf.cso@mail.mil
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Backup Slides
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Nicolas Chaillan - Presenter n Nicolas M. Chaillan is the Chief Software Officer at the U.S. Air Force and the Co-Lead for the DoD Enterprise DevSecOps Initiative. n He is the former Special Advisor for Cloud Security and DevSecOps at OSD, A&S. n He was the Special Advisor for Cybersecurity at the Department of Homeland Security and the Chief Architect for Cyber.gov, the new robust, innovative and holistic .Gov cyber security architecture for all .gov agencies. n Chaillan is a technology entrepreneur, software developer, cyber expert and inventor. He is recognized as one of France’s youngest entrepreneurs after founding his first company at 15 years of age. n With 19 years of international tech, entrepreneurial and management experience, Chaillan is the founder of more than 12 companies, including AFTER-MOUSE.COM, Prevent-Breach, anyGuest.com, and more. n Over the last eight years alone, he has created and sold over 180 innovative software products to 40 Fortune 500 companies. n Chaillan is recognized as a pioneer of the computer language PHP. 37 Chief Software Officer
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Thank You! Nicolas Chaillan Chief Software Officer, U.S. Air Force nicolas.m.chaillan.civ@mail.mil

More Related Content

PPTX
DoD-Enterprise-DevSecOps-Initiative-Introduction-v4.52.pptx
byTomGrand4
 
PDF
Cncf checkov and bridgecrew
byLibbySchulze
 
PPTX
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...
byWalmartLabs
 
PPTX
Hashicorp Terraform Open Source vs Enterprise
byStenio Ferreira
 
PDF
Istio Service Mesh for Developers and Platform Engineers
bySaiLinnThu2
 
PPTX
Devops as a service
bySaravanan Subburayal
 
PDF
Rapid Strategic SRE Assessments
byMarc Hornbeek
 
PDF
Migrating to Microservices Patterns and Technologies (edition 2023)
byAhmed Misbah
 
DoD-Enterprise-DevSecOps-Initiative-Introduction-v4.52.pptx
byTomGrand4
 
Cncf checkov and bridgecrew
byLibbySchulze
 
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...
byWalmartLabs
 
Hashicorp Terraform Open Source vs Enterprise
byStenio Ferreira
 
Istio Service Mesh for Developers and Platform Engineers
bySaiLinnThu2
 
Devops as a service
bySaravanan Subburayal
 
Rapid Strategic SRE Assessments
byMarc Hornbeek
 
Migrating to Microservices Patterns and Technologies (edition 2023)
byAhmed Misbah
 

What's hot

PDF
OpenShift 4 installation
byRobert Bohne
 
PDF
なぜあなたのプロジェクトのDevSecOpsは形骸化するのか(CloudNative Security Conference 2022)
byMasaya Tahara
 
PPTX
CLOUD NATIVE SECURITY
byMaganathin Veeraragaloo
 
PDF
Kubernetes Deployment Strategies
byAbdennour TM
 
PDF
Autoscaling Kubernetes
bycraigbox
 
PDF
Open shift 4 infra deep dive
byWinton Winton
 
PPTX
K8s in 3h - Kubernetes Fundamentals Training
byPiotr Perzyna
 
PPTX
私がなぜZscalerに?
byTakayoshi Takaoka
 
PDF
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
byrockplace
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Cloud Adoption Framework - Overview_partner.pptx
byabhishek22611
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
OpenStack dans la pratique
byOsones
 
PDF
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
byVietnam Open Infrastructure User Group
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PPTX
Past, Present and Future of DevOps Infrastructure
bySynergetics Learning and Cloud Consulting
 
PPSX
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
PDF
Cisco sddc solution 소개
byWoo Hyung Choi
 
PDF
OCHaCafe#5 - 避けては通れない!認証・認可
byオラクルエンジニア通信
 
ODP
Openshift Container Platform
byDLT Solutions
 
OpenShift 4 installation
byRobert Bohne
 
なぜあなたのプロジェクトのDevSecOpsは形骸化するのか(CloudNative Security Conference 2022)
byMasaya Tahara
 
CLOUD NATIVE SECURITY
byMaganathin Veeraragaloo
 
Kubernetes Deployment Strategies
byAbdennour TM
 
Autoscaling Kubernetes
bycraigbox
 
Open shift 4 infra deep dive
byWinton Winton
 
K8s in 3h - Kubernetes Fundamentals Training
byPiotr Perzyna
 
私がなぜZscalerに?
byTakayoshi Takaoka
 
왜 컨테이너인가? - OpenShift 구축 사례와 컨테이너로 환경 전환 시 고려사항
byrockplace
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Cloud Adoption Framework - Overview_partner.pptx
byabhishek22611
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
OpenStack dans la pratique
byOsones
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
byVietnam Open Infrastructure User Group
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
Past, Present and Future of DevOps Infrastructure
bySynergetics Learning and Cloud Consulting
 
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
Cisco sddc solution 소개
byWoo Hyung Choi
 
OCHaCafe#5 - 避けては通れない!認証・認可
byオラクルエンジニア通信
 
Openshift Container Platform
byDLT Solutions
 

Similar to DevSecOps: The DoD Software Factory

PDF
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
byscoopnewsgroup
 
PPTX
DoD-Enterprise-DevSecOps-Initiative.pptx
byfengerqiang
 
PPTX
DoD Enterprise DevSecOps Initiative by Mr. Nicolas Chaillan
byHermanKBeta
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
Adopting the DoD Software Factory Model: Insights & How Tos
byAnchore
 
PPTX
DevSecOps Story with added security controls
byHareeshNani5
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PDF
Enabling multicloud in the enterprise with DevSecOps
byJosh Boyd
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
byNorm Barber
 
PDF
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
byUnifyCloud
 
PDF
Elastic, DevSecOps, and the DOD software factory
byElasticsearch
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PPT
Sage Solutions Brief.Mjo
bymjo57
 
DOCX
10 things to get right for successful dev secops
byMohammed Ahmed
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
PDF
Security's DevOps Transformation
byMichele Chubirka
 
PDF
Understanding DevSecOps.pdf
byCiente
 
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
byscoopnewsgroup
 
DoD-Enterprise-DevSecOps-Initiative.pptx
byfengerqiang
 
DoD Enterprise DevSecOps Initiative by Mr. Nicolas Chaillan
byHermanKBeta
 
Scale security for a dollar or less
byMohammed A. Imran
 
Adopting the DoD Software Factory Model: Insights & How Tos
byAnchore
 
DevSecOps Story with added security controls
byHareeshNani5
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Enabling multicloud in the enterprise with DevSecOps
byJosh Boyd
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
byNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
byUnifyCloud
 
Elastic, DevSecOps, and the DOD software factory
byElasticsearch
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
Sage Solutions Brief.Mjo
bymjo57
 
10 things to get right for successful dev secops
byMohammed Ahmed
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
Security's DevOps Transformation
byMichele Chubirka
 
Understanding DevSecOps.pdf
byCiente
 

More from scoopnewsgroup

PDF
2020: What's on Deck for the PMA
byscoopnewsgroup
 
PDF
Modernization Requires Choice
byscoopnewsgroup
 
PDF
Smarter Access is the Bridge to Security Modernization
byscoopnewsgroup
 
PDF
How Zero Trust Makes the Mission Simple & Secure
byscoopnewsgroup
 
PDF
Building a Zero Trust Architecture
byscoopnewsgroup
 
PDF
History of Data-Centric Transformation
byscoopnewsgroup
 
PDF
IC Fireside Chat
byscoopnewsgroup
 
PDF
The Edge to AI
byscoopnewsgroup
 
PDF
Data Strategy – What Does an Enterprise Data Cloud Mean for Your Agency?
byscoopnewsgroup
 
PDF
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
byscoopnewsgroup
 
PDF
Moving Beyond Zero Trust
byscoopnewsgroup
 
PDF
Keeping the Workforce of the Future Empowered, Engaged & Happy
byscoopnewsgroup
 
PDF
Opening Remarks
byscoopnewsgroup
 
PDF
It All Starts with Linux
byscoopnewsgroup
 
PDF
Leadership in the Digital Age
byscoopnewsgroup
 
PDF
Digital Transformation for Government
byscoopnewsgroup
 
PDF
Enhancing your Cyber Skills through a Cyber Range
byscoopnewsgroup
 
PDF
Lessons Learned from Fire Escapes for Cybersecurity
byscoopnewsgroup
 
PDF
2019 FedScoop Public Sector innovation Summit
byscoopnewsgroup
 
PDF
FedScoop Public Sector Innovation Summit Peter Wallace, CIO, Virginia Beach- ...
byscoopnewsgroup
 
2020: What's on Deck for the PMA
byscoopnewsgroup
 
Modernization Requires Choice
byscoopnewsgroup
 
Smarter Access is the Bridge to Security Modernization
byscoopnewsgroup
 
How Zero Trust Makes the Mission Simple & Secure
byscoopnewsgroup
 
Building a Zero Trust Architecture
byscoopnewsgroup
 
History of Data-Centric Transformation
byscoopnewsgroup
 
IC Fireside Chat
byscoopnewsgroup
 
The Edge to AI
byscoopnewsgroup
 
Data Strategy – What Does an Enterprise Data Cloud Mean for Your Agency?
byscoopnewsgroup
 
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
byscoopnewsgroup
 
Moving Beyond Zero Trust
byscoopnewsgroup
 
Keeping the Workforce of the Future Empowered, Engaged & Happy
byscoopnewsgroup
 
Opening Remarks
byscoopnewsgroup
 
It All Starts with Linux
byscoopnewsgroup
 
Leadership in the Digital Age
byscoopnewsgroup
 
Digital Transformation for Government
byscoopnewsgroup
 
Enhancing your Cyber Skills through a Cyber Range
byscoopnewsgroup
 
Lessons Learned from Fire Escapes for Cybersecurity
byscoopnewsgroup
 
2019 FedScoop Public Sector innovation Summit
byscoopnewsgroup
 
FedScoop Public Sector Innovation Summit Peter Wallace, CIO, Virginia Beach- ...
byscoopnewsgroup
 

Recently uploaded

PDF
Estimating the Effects of Changes in Permitting Requirements on Private Inves...
byCongressional Budget Office
 
PDF
EFOW Brief: Some Stories of Two- Choices we are invited to make
byEnergy for One World
 
PDF
The Economic Outlook for 2026 to 2036 in 17 Slides
byCongressional Budget Office
 
PDF
PPT Item # 12 - 2025 Racial Profiling Report
byahcitycouncil
 
PDF
PPT Item # 11 - NOI 6801, 6900, 7000, 7101 Broadway
byahcitycouncil
 
PPTX
Ending Homelessness through Community Unity with Arvy Ebrahime
byArvy Ebrahime
 
PDF
PPT Item # 7 - Water & Wastewater Rate Study
byahcitycouncil
 
PDF
The Budget and Economic Outlook for 2026 to 2036: Press Briefing Slides
byCongressional Budget Office
 
PDF
Item # 6 - 518 Austin Hwy (ARB #1011F - Final Review)
byahcitycouncil
 
PPTX
Mengapresiasi dan Mengkreasikan Cerpen.pptx
byDyah713783
 
PDF
IEA Publication : Electricity Year 2026 Full Report
byEnergy for One World
 
PDF
Item # 2a - January 12, 2026 CCM Minutes
byahcitycouncil
 
PDF
MSC 2026 : Under Destruction Munich Security Report 2026
byEnergy for One World
 
PDF
Item # 12 - 2025 Racial Profiling Report
byahcitycouncil
 
PDF
Item # 9 - Legal Services Contract/Renewal
byahcitycouncil
 
PDF
Item # 7 - Water & Wastewater Rate Study
byahcitycouncil
 
PDF
Rapport du Congrès de novembre 2025 sur l'enrichissement personnel de Trump
bySociété Tripalio
 
PDF
EFOW Brief: Essay on Leadership Paradigms, Scenarios and Pathways
byEnergy for One World
 
PDF
Item # 11 - NOI Development of 6800, 6900, 7001 & 7101 Broadway
byahcitycouncil
 
PPTX
Devolution-of-functions-Internatiobest-practices-March-2024-Tinashe-Chigwata....
byandrewcmwale10
 
Estimating the Effects of Changes in Permitting Requirements on Private Inves...
byCongressional Budget Office
 
EFOW Brief: Some Stories of Two- Choices we are invited to make
byEnergy for One World
 
The Economic Outlook for 2026 to 2036 in 17 Slides
byCongressional Budget Office
 
PPT Item # 12 - 2025 Racial Profiling Report
byahcitycouncil
 
PPT Item # 11 - NOI 6801, 6900, 7000, 7101 Broadway
byahcitycouncil
 
Ending Homelessness through Community Unity with Arvy Ebrahime
byArvy Ebrahime
 
PPT Item # 7 - Water & Wastewater Rate Study
byahcitycouncil
 
The Budget and Economic Outlook for 2026 to 2036: Press Briefing Slides
byCongressional Budget Office
 
Item # 6 - 518 Austin Hwy (ARB #1011F - Final Review)
byahcitycouncil
 
Mengapresiasi dan Mengkreasikan Cerpen.pptx
byDyah713783
 
IEA Publication : Electricity Year 2026 Full Report
byEnergy for One World
 
Item # 2a - January 12, 2026 CCM Minutes
byahcitycouncil
 
MSC 2026 : Under Destruction Munich Security Report 2026
byEnergy for One World
 
Item # 12 - 2025 Racial Profiling Report
byahcitycouncil
 
Item # 9 - Legal Services Contract/Renewal
byahcitycouncil
 
Item # 7 - Water & Wastewater Rate Study
byahcitycouncil
 
Rapport du Congrès de novembre 2025 sur l'enrichissement personnel de Trump
bySociété Tripalio
 
EFOW Brief: Essay on Leadership Paradigms, Scenarios and Pathways
byEnergy for One World
 
Item # 11 - NOI Development of 6800, 6900, 7001 & 7101 Broadway
byahcitycouncil
 
Devolution-of-functions-Internatiobest-practices-March-2024-Tinashe-Chigwata....
byandrewcmwale10
 

DevSecOps: The DoD Software Factory

  • 1.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S. Air Force Mr. Nicolas Chaillan Chief Software Officer, U.S. Air Force Co-Lead, DoD Enterprise DevSecOps Initiative v1.5 – UNCLASSFIED DoD Enterprise DevSecOps Initiative (Software Factory)
  • 2.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Problem Statement n The Department of Defense (DoD) is mostly still using Waterfall software methodologies with software delivery every 3 to 10 years, making it impossible to keep up with the pace of technology. n The DoD Authority to Operate (ATO) process to accredit software takes on average 8 months and is mostly manual with several testing and cybersecurity gates. n Most of the Defense Industrial Base (DIB) (the DoD contractors and developers) has not adopted an Agile and/or DevOps mindset. n Massive organization with large silos and large workforce. n Limited IT enterprise services, Cloud access and high speed connectivity. 3
  • 3.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 5 Must Rapidly Adapt To Challenges
  • 4.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 6 Must Adapt To Challenges Work as a Team!
  • 5.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 7 Must Adapt To Challenges Work as a Team! A Large Team!
  • 6.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 8 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies
  • 7.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 9 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us!
  • 8.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 10 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us! To Space!
  • 9.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 11 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us! To Space! With a Few Sensors!
  • 10.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Must Adapt to Challenges 12 Must Adapt To Challenges Work as a Team! A Large Team! With Various Technologies Bring It With Us! To Space! With a Few Sensors! With their Help!
  • 11.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e What is the DoD Enterprise DevSecOps Initiative? n Joint Program with OUSD(A&S), DoD CIO, U.S. Air Force, DISA and the Military Services. n Technology: n Avoid vendor lock-in at the Infrastructure and Platform Layer by leveraging FOSS with Kubernetes and OCI containers, n Creating the DoD Centralized Artifacts Repository (DCAR) of hardened and centrally accredited containers: selecting, certifying, and securing best of breed development tools and software capabilities (over 170+ containers) - https://dccscr.dsop.io/dsop/ and https://dcar.dsop.io n Baked-in Zero Trust Security with our Sidecar Container Security Stack (SCSS) leveraging behavior detection, zero trust down to the container/function level. n Leveraging a Scalable Microservices Architecture with Service Mesh/API Gateway and baked-in security (Istio) n Leveraging KNative to avoid lock-in to Cloud provider Serverless stacks n Bringing Enterprise IT Capabilities with Cloud One and Platform One – Cloud and DevSecOps as Managed Services capabilities, on-boarding and support! n Standardizing metrics and define acceptable thresholds for DoD-wide continuous Authority to Operate n Massive Scale Training with Self Learning Capabilities (train over 100K people within a year) and bring state of the art DevSecOps curriculum n Creating new Agile contracting language to enable and incentivize the use of DevSecOps 13
  • 12.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e From Waterfall to DevSecOps 14
  • 13.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Value for DoD Programs n Enables any DoD Program across DoD Services deploy a DoD hardened Software Factory, on their existing or new environments (including classified, disconnected and Clouds), within days instead of a year. Tremendous cost and time savings. n Multiple DevSecOps pipelines are available with various options (no one-size-fits-all) n Enables rapid prototyping (in days and not months or years) for any Business, C4ISR and Weapons system. Deployment in PRODUCTION! n Enables learning and continuous feedback from actual end-users (warfighters). n Enables bug and security fixes in minutes instead of weeks/months. n Enables automated testing and security. n Enables continuous Authorization to Operate (c-ATO) process. Authorize ONCE, use MANY times! n Brings a holistic and baked-in cybersecurity stack, gaining complete visibility of all assets, software security state and infrastructure as code. 15
  • 14.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e “Cloud One” vs “Platform One by LevelUP” n Cloud One: n Centralized team to provide Cloud Infrastructure with baked-in security to DoD programs. Think of it as the Infrastructure team with baked-in security, CSSP and Authority to Operate (ATO). n Platform One by LevelUP: n Centralized team to provide DevSecOps/Software Factory with baked-in security to DoD Programs. Think of it as the Platform Team with the ability to deploy a DevSecOps (Kubernetes compliant) Platform and CI/CD pipeline with a Continuous ATO (c-ATO). You select from accredited tools to accelerate your ability to focus on delivering mission capabilities. 16
  • 15.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e YOU Understanding the DevSecOps Layers Cloud One Platform One ContinuousMonitoring LeveragestheSidecarContainerSecurityStack CNCF compliant Kubernetes (K8S) Includes Site Reliability Engineers (SREs) etc. Development Team selects between approved K8S stacks Fully containerized, leverages DoD approved containers from DCAR Development Team selects tools from 172 approved containers or custom containers Brings baked-in security and Microservices architecture enablement Development Teams can build software/microservices leveraging hardened containers Infrastructure Layer Platform Layer Continuous Integration / Continuous Delivery (CI/CD) Layer Service Mesh Layer Application Layer
  • 16.
    STORE ARTIFACTS SCALE MONITOR SECURE TEST BUILD “Continuous Integration & Continuous Delivery” Orchestration DoDEnterprise DevSecOps Technology Stack (Exemplar) PLAN & DEVELOP DEPLOY & OPERATE Container and Container Management
  • 17.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Cloud One n Air Force Cloud Office with turnkey access to AWS GovCloud and Azure Government at IL2, 4 and 5. IL6 available by December 2019. n Simple “Pay per use” model with ability to instantiate your own Development and Production VPCs at various Impact Levels within days with full compliance/security and a baked-in ATO. n Enterprise Solution: we provide the guardrails to the cloud in a standard manner so you can focus on your mission n Fully Automated: All environmental stand-up is managed by Infrastructure as Code, drastically speeding up deployment, reducing manual work, and human error n Centralized Identities and Single-Sign-On (SSO): one login across the Cloud stack n Internet facing Cloud based VPN to connect to IL5 enclaves with a Virtual Internet Access Point (coming within January 2020). n DevSecOps Focused: secure, mission driven deployments are built into the framework to ensure self-service and seamless deployments. Leverages Zero Trust model. n Proactive Scaling and System Monitoring: Mission Owners can see all operational metrics and provide rules and alerts to manage each mission their way n Accreditation Inheritance has been identified in the AF-Cloud One eMASS accounts (AWS & Azure) to include inheritance from the CSP, USAF, DoD and CSSP. All that’s left for the mission is the controls that are unique to them. 19
  • 18.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e “Platform One by LevelUP” The Air Force Software Factory Team n Merged top talent across U.S. Air Force from various Factories (Kessel Run, SpaceCAMP and UP. n Helps instantiate DevSecOps CI/CD pipelines / Software Factories within days at various classification levels. n Manages Software Factories for Development teams so they can focus on building mission applications. n Provides Blanket Purchase Agreement (BPA) DoD-wide DevSecOps contracts for Cloud Service, Talent and Licenses. Enables awards every 15/30 days with bulk discounts. n Decouples Development Teams from Factory teams with DevSecOps and Site Reliability Engineer (SRE) expertise. n Partners with Cloud One to provide IL2, 4, 5 and 6 access but also uses C2S/SC2S and various on-premise environments! n Self-learning and training capabilities to enable teams move to Scrum/Kanban/eXtreme Programming (XP) Agile practices. n Leverages the DoD hardened containers while avoiding one-size-fits-all architectures. n Fully compliant with the DoD Enterprise DevSecOps Initiative (DSOP) with DoD-wide reciprocity and an ATO. Leverages Zero Trust model. n Hardens the 172 DoD enterprise containers (databases, development tools, CI/CD tools, cybersecurity tools etc.). n Provides Software Enterprise Services with Collaboration tools, Cybersecurity tools, Source code repositories, Artifact repositories, Development tools, DevSecOps as a Service, Chats etc. These services will be MANAGED services on Cloud One. 20
  • 19.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e “Platform One by LevelUP” Managed Services “A La Carte” n Hardened Containers Options n Delivery of hardened enterprise containers with accreditation reciprocity (existing containers only). n Delivery of custom hardened containers as needed. n Continuous Integration / Continuous Delivery (CI/CD) Options n Delivery of existing hardened Kubernetes/OpenShift/PKS playbooks (full Infrastructure as Code). n Delivery of a turnkey CI/CD pipeline (Software Factory) with complete « Infrastructure as Code » to instantiate on any environment (development teams picks the tools from the approved hardened containers) on various classified/unclassified environment. n Training/On-Boarding Options n 1-day training Session: introduction to DevSecOps. Overview and understanding of the vision and activities. n A 3 day introduction to LevelUP DevSecOps tech stack. Hands on code and User-Centered Design (UCD) to deploy your first demo app to production. n A several week full on-boarding, that concludes with an MVP ready for production. n A several month full on-boarding, that concludes with your platform team being able to support your own DevSecOps applications for development and production. n Customized training options (both at our locations or on your premises). n Contracting Support Options n Ability to leverage the DevSecOps BOAs (Cloud Services, Talent and Licenses). n Enable access to DevSecOps engineers/SREs Full-Time-Equivalent (FTEs) (Medics/Counselors) to assist Programs. 21
  • 20.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e DoD Enterprise DevSecOps Architecture
  • 21.
    Bare-metal, GovCloud, AWSSecret, Azure Secret, mil Cloud, C2S, Jedi…*** Elasticsearch DoD Enterprise DevSecOps Platform** 23 DoD Enterprise DevSecOps Architecture* DevSecOps CI/CD pipeline** Kubernetes Optional Abstraction Layer with Red Hat OpenShift or PKS or CNCF compliant Kubernetes Product Artifacts Repository** Sidecar Container Security Stack Centralized DoD Enterprise DevSecOps Artifacts Repository Continuously Hardens Docker Public Images and Assesses Open Source Libraries pulls pulls Program Source code repository Application / Microservices built by DoD Programs. pulls *each DoD Program can have its own instantiation of the DoD Enterprise DevSecOps Platform on any Cloud. ** can be installed with single command and deployed on any Cloud. *** could be deployed inside an enclave or on- premises **** gives complete visibilities of assets, security/vulnerability state etc. can be integrated to existing cybersecurity shared services. DoD OCIO/DISA Centralized Logs/Telemetry****Fluentd Real- time pushes Per DoD Service for Service-wide Visibility Logs/Telemetry**** pulls pulls Microservices Architecture (ISTIO)
  • 22.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Microservices Architecture (ISTIO) 24 n Turnkey Service Mesh (ISTIO) architecture n ISTIO side car proxy, baked-in security, with visibility across containers, by default, without any developer interaction or code change n Benefits: n API Management, service discovery, authentication… n Dynamic request routing for A/B testing, gradual rollouts, canary releases, resilience, observability, retries, circuit breakers and fault injection n Layer 7 Load balancing n Zero Trust model: East/West Traffic Whitelisting, ACL, RBAC… n TLS encryption by default, Key management, signing…
  • 23.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Sidecar Container Security Stack n Baked-in Zero Trust security down to the Container/Function level with Istio (Envoy) and Knative. n Centralized logging and telemetry with Elasticsearch, Fluentd, Kibana (EFK). n Container security: Continuous Scanning, Alerting, CVE scanning, Behavior detection both in development and production (Build, Registry, Runtime) with Twistlock n Container security and insider threat (custom policies detecting unapproved changes to Dockerfiles) with Anchore n Automated STIG compliance with OpenSCAP 25
  • 24.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Platform Stack (continuously evolving)
  • 25.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (1) 27 Source Repository GitHub Government GitLab Container Management technologies: Kubernetes Openshift VMWare Tanzu PKS OKD Rancher (K8S only) D2IQ (K8S only) Docker EE (K8S only) Container Packagers: Helm Kubernetes Operators API Gateways Kong Azure API AWS API Axway 3Scale Apigee ISTIO (service mesh) Artifacts Artifactory Nexus Maven Archiva S3 bucket Programming Languages C/C++ C#/.NET .NET Core Java PHP Python Groovy Ruby R Rust Scala Perl Go Node.JS Swift Databases SQL Server MySQL PostgreSQL MongoDB SQLite Redis Elasticsearch Oracle etcd Hadoop/HDInsight Cloudera Oracle Big Data Solr Neo4J Memcached Cassandra MariaDB CouchDB InfluxDB (time)
  • 26.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (2) 28 Message bus/Streams Kafka Flink Nats RabbitMQ ActiveMQ Proxy Oauth2 proxy nginx ldap auth proxy openldap HA Proxy Visualization Tableau Kibana Logs Logstash Splunk Forwarder Fluentd Syslogd Filebeat rsyslog Webservers Apache2 Nginx IIS Lighttpd Tomcat Docker base images OS: Alpine Busybox Ubuntu Centos Debian Fedora Universal Base Image Serverless Knative
  • 27.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (3) 29 Build MSBuild CMake Maven Gradle Apache Ant Tests suite Cucumber J-Unit Selenium TestingWhiz Watir Sahi Zephyr Vagrant AppVerify nosetests SoapUI LeanFT Test coverage JaCoCo Emma Cobertura codecov CI/CD Orchestration Jenkins (open source) CloudBees Jenkins GitLab Jenkins plugins Dozens (Need to verify security). Configuration Management / Delivery Puppet Chef Ansible Saltstack Security Tenable / Nessus Agents Fortify Twistlock Aqua SonarQBE Qualys StackRox Aporeto Snort OWASP ZAP Contrast Security OpenVAS Metasploit ThreadFix pylint JFrog Xray OpenSCAP (can check against DISA STIG) OpenControl for compliance documentation Security (2) Snyk Code Climate AJAX Spider Tanaguru (508 compliance) InSpec OWASP Dependency-Check Burp HBSS Anchore Checkmarx SD Elements Clair Docker Bench Security Notary Sysdig Layered Insight BlackDuck Nexus IQ/Lifecycle/Firewall
  • 28.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e DevSecOps Product Stack (4) 30 Monitoring Sensu EFK (Elasticsearch, Fluentd, Kibana) Splunk Nagios New Relic Sentry Promotheus Grafana Kiali Collaboration Rocket.Chat Matter.Most PagerDuty Plan Jira Confluence Rally Redmine Pivotal Tracker Secrets Kubernetes Secrets Vault Credentials (Jenkins) CryptoMove SSO Keycloak Documentation Javadoc RDoc Sphinx Doxygen Cucumber phpDocumentator Pydoc Performance Apache AB Jmeter LoadRunner
  • 29.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Legacy to DevSecOps => Strangler Pattern n Martin Fowler describes the Strangler Application: n One of the natural wonders of this area are the huge strangler vines. They seed in the upper branches of a fig tree and gradually work their way down the tree until they root in the soil. Over many years they grow into fantastic and beautiful shapes, meanwhile strangling and killing the tree that was their host. n To get there, the following steps were followed: n First, add a proxy, which sits between the legacy application and the user. Initially, this proxy doesn’t do anything but pass all traffic, unmodified, to the application. n Then, add new service (with its own database(s) and other supporting infrastructure) and link it to the proxy. Implement the first new page in this service. Then allow the proxy to serve traffic to that page (see below). n Add more pages, more functionality and potentially more services. Open up the proxy to the new pages and services. Repeat until all required functionality is handled by the new stack. n The monolith no longer serves traffic and can be switched off. n Learn more: https://www.ibm.com/developerworks/cloud/library/cl-strangler-application-pattern- microservices-apps-trs/index.html and https://www.michielrook.nl/2016/11/strangler-pattern-practice/ 31
  • 30.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (1) n Recommended Videos (Part 1) n Watch our playlists, available at different expertise levels and continuously augmented! n Kafka / KSQL (message bus, pub/sub, event driven): n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlzz0zt03Ludtid7icrXBesg n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxxXX0oCzt7laO6mD61UIQw n Advanced: N/A n Kubernetes n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlydFzQzkYYDdQK7k5cEKubQ n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlx8dSFH_jFLK40Tt7KUXTN_ n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlytdAJiVqbHucWOvn5LrTNW 32
  • 31.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (2) n Recommended Videos (Part 2) n Watch our playlists, available at different expertise levels and continuously augmented! n Service Mesh n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxtC4rDIMQ8QiG5UBCjz7VH n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlwWK_Y_Cas8Nyw-DsdbH6vl n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlx8VW2MFONMRwS_-2rSJwdn n Microservices n Beginners: https://www.youtube.com/playlist?list=PLSIv_F9TtLlz_U2_RaONTGYLkz0lh-A_L n Intermediate: https://www.youtube.com/playlist?list=PLSIv_F9TtLlxqjuAXxoRMjvspaEE8L2cB n Advanced: https://www.youtube.com/playlist?list=PLSIv_F9TtLlw4CF4F4t3gVV3j0512CMsu 33
  • 32.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Self-Learning (3) n Recommended Books n A Seat at the Table – by Mark Schwartz (former CIO of USCIS, leader in Agile) This book is highly recommended for ALL leadership as it is not technical but focused on the challenges around business, procurement and how leadership can enable DevOps across the organization and remove impediments. n The Phoenix Project – by the founders of DevOps n The DevOps Handbook – by Gene Kim, Patrick Debois. For those who drive to work like me (for hours), please note that these books are available as Audiobooks. 34
  • 33.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Thank You! Nicolas Chaillan Chief Software Officer, U.S. Air Force usaf.cso@mail.mil
  • 34.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Backup Slides
  • 35.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Nicolas Chaillan - Presenter n Nicolas M. Chaillan is the Chief Software Officer at the U.S. Air Force and the Co-Lead for the DoD Enterprise DevSecOps Initiative. n He is the former Special Advisor for Cloud Security and DevSecOps at OSD, A&S. n He was the Special Advisor for Cybersecurity at the Department of Homeland Security and the Chief Architect for Cyber.gov, the new robust, innovative and holistic .Gov cyber security architecture for all .gov agencies. n Chaillan is a technology entrepreneur, software developer, cyber expert and inventor. He is recognized as one of France’s youngest entrepreneurs after founding his first company at 15 years of age. n With 19 years of international tech, entrepreneurial and management experience, Chaillan is the founder of more than 12 companies, including AFTER-MOUSE.COM, Prevent-Breach, anyGuest.com, and more. n Over the last eight years alone, he has created and sold over 180 innovative software products to 40 Fortune 500 companies. n Chaillan is recognized as a pioneer of the computer language PHP. 37 Chief Software Officer
  • 36.
    I n te g r i t y - S e r v i c e - E x c e l l e n c e Thank You! Nicolas Chaillan Chief Software Officer, U.S. Air Force nicolas.m.chaillan.civ@mail.mil