Modernizing Software Development in the US Navy

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rick Jack, Distinguished C4ISR Software Engineer - SSTM, SPAWAR Systems Center San
Diego
Rob Nolen, Solutions Architect, Amazon Web Services
Phil Osip, Solution Architect, Red Hat
195347
Modernizing Software Development in
the US Navy

NEEDS

NAVY DIGITAL TRANSFORMATION NEEDS
Speed / Security
ITOptimization / AppModernization
Path to the Cloud / Cloud First

CHALLENGES

NAVY OPERATIONAL CHALLENGES
• In efforts to increase capability, the enterprise has let complexity creep
into our system of systems approach
• Systems are stove-piped or typically tightly coupled and sometimes
provide infrastructure
• This creates complex visibility into impacts of issues (e.g. cyber)
• Data interoperability is at a system-by-system level
• Typical time to field a capability is upwards to a year or more, because
accreditation for systems include complexity they do not have breadth to
quickly address
• Obsolescence is driving up costs

NAVY PROGRAM CHALLENGES
• Lack of common shared development, integration, staging, and
deployment environments inhibits opportunities to accelerate
deployment timelines
• Multiple duplicative investments in development laboratories,
processes, and tools
• Inefficient and/or inadequate coordination and management of technical
dependencies between systems, applications, core services, standards,
and the versions of supported software results in interoperability issues
• Issue/defect identification occurs late in the development/integration
cycle
• Software assurance may not always be monitored and measured, which
may result in vulnerabilities undetected until fielded

SOLUTION

NAVY WAY FORWARD
• Reshape strategy to focus on a services-based, security and data- centric
• Cloud-first, compliance-based, easily expose and share data
• Enterprise alignment
• Adoption of AI and Machine Learning to support better decision making
• Rapid adoption of an architecture framework that modernizes and modularizes
application
• Key to this is the decomposing and abstracting applications from the infrastructure, while being technology neutral with
a data-centric design
• Allow capability providers to focus on content vice plumbing
• Adopt modernized standard data sharing formats and specifications
• Embrace SECDEVOPS as a principle for developers to understand increase in
quality expectation and provide rapid visibility to decision maker
• Enforce automated governance
• Uniform and predictable software configurations

APPROACH

Let’s First Dispel Some Myths
Pretty, But Wrong
DEV OPS
SEC

“Bake-In” Security Versus “Bolt-On”
OPSDEV
SEC

So What Does That Look Like?
+ Vulnerability
Assessments
From All Day DevOps Webinar Nov 2016
content distributable from Carnegie Mellon

Identifying How To “Shift Left” With Security/IA
Threat Modeling
Security as a
Quality
Attribute

Identify What ”Secure” Means Before You Start
An Incomplete Table of Compliance Levels and Standards

Don’t Require BUFD, But Don’t Start From Scratch
An “enterprise-ready”deploymentof OCP inAWS infrastructure,basedonalreadyaccreditedsystems
(at800-53 MEDIUM/MEDIUM/MEDIUM)
Also see examples of ourgeneric, published reference architectures athttps://goo.gl/Hz1gEJ
LOGICAL COMPONENT
BLOCK DIAGRAM
CONTROLLED
INTERFACE
DIAGRAM
ROLE BASED
ACTIVITY
DIAGRAM
ROLE TO
COMPONENT
ALLOCATION
PHYSICAL
CONNECTIVITY
DIAGRAM
CUSTOM
ANSIBLE
ROLES
CENTRALIZED
ARTIFACTS

Adopt A Security Inheritance Model
Secure /
Hardened
Environment

Deploying a Trusted Software Supply Chain
DEV TEST/QA/SIT UAT/STAGING
Ubiquitous
Automation

Ubiquitous
Automation
Load balancers
DEV
Load balancers
TEST/QA/SIT
Load balancers
UAT/STAGING

Ubiquitous
Automation
Load balancers
DEV
Load balancers
TEST/QA/SIT
Load balancers
UAT/STAGING
Jenkins
Other
S2I

Exercising a Trusted Software Supply Chain
Ubiquitous
Automation
Load balancers
DEV
Load balancers
TEST/QA/SIT
Load balancers
UAT/STAGING
Jenkins
Other
S2I
Databases
& other
svcs
Databases
& other
svcs
Databases
& other
svcs

Security Inheritance ModelAPPLICATION
Controls that need to be
implemented by the programs
hosted on the OpenShift
Container Platform.
SERVICE
Container Platform’s
implementation. This
includes tools such as
Ansible Tower and OpenSCAP.
.
INFRASTRUCTURE
A control that is satisfied
by the Organization’s
Infrastructure as a Service
implementation (e.g. AWS).
ENTERPRISE
A control that is satisfied
by the hosting
organization. This includes
enterprise services such as
LDAP, the Audit and Logging
solution, etc.
22
Your App
Controls
Inherit
ed
Control
s

BUILD SCAN DEPLOYTESTDEV
BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT

Only Introduce ”Approved” Elements
Web Hooks,
Secure
Supply
Chain

Containers Start with Quality Parts
●Manual inspection
●Automated inspection
●Packaging guidelines
●Build roots
●Quality assurance
●Certifications
●Signing
●Distribution
●Response
●Support
●Security updates
OPENSHIFT
SECURE
REGISTRY
What goes intoyoursecure softwaresupply chain? Red Hat provides:

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]

Automate What You Should and Build Trust
Security
Focused
Review Criteria

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Code Review
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]

Don’t Waste Compute or Time
Automated Security
Testing
(Static Code Analysis,
Container Scanning)

Demo Output for Pipeline Invocation Post Code Review

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]
Static
Analysis
Security
Test
(SAST)
[SonarQube]
OPENSCAP
EVAL
&
REMEDIATE

Demo Output for Static Analysis Security Test

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]
Static
Analysis
Security
Test
(SAST)
[SonarQube]
OPENSCAP
EVAL
&
REMEDIATE
Policy
Enforcement
For
Build
Artifacts
& Images
[OCP]

Demo Output for OpenSCAP Image Scan from Pipeline

Demo Output for OpenSCAP Image Scan

Compliance Check
BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]
Static
Analysis
Security
Test
(SAST)
[SonarQube]
OPENSCAP
EVAL
&
REMEDIATE
Policy
Enforcement
For
Build
Artifacts
& Images
[OCP]
Image
Scanning
w/ tailored
profiles
[OpenSCAP]
[Clair]

Policy-Driven Deployment and Compliance
Secure
Artifacts,
Compliance
as
Code,
Vulnerability
Assessments

Demo Vulnerability Assessment from Pipeline

Demo Output for Vulnerability Assessment

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]
Static
Analysis
Security
Test
(SAST)
[SonarQube]
OPENSCAP
EVAL
&
REMEDIATE
Policy
Enforcement
For
Build
Artifacts
& Images
[OCP]
Image
Scanning
w/ tailored
profiles
[OpenSCAP]
[Clair]
Vulnerability
Assessment
(CVE,OWASP)
[ZAP]

What Gets Measured Gets Improved
More Security Testing
(Pen Testing, Fuzz, …)

FROM CODE TO CAPABILITIES
BUILD
• Dependency
Management
• Image Scan
DEV
• Pre-receive Hooks
• Static Analysis.
TEST
• Integration Tests
• Penetration / Fuzz
Testing
DEPLOY
• Vulnerability
Assessment
• Signed Images
CODE CAPABILITIES

Continue to Build Trust and Automate When Ready
Security
Review
Staging/UAT

Demo Output of Completed Pipeline

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]
Static
Analysis
Security
Test
(SAST)
[SonarQube]
OPENSCAP
EVAL
&
REMEDIATE
Policy
Enforcement
For
Build
Artifacts
& Images
[OCP]
Image
Scanning
w/ tailored
profiles
[OpenSCAP]
[Clair]
Vulnerability
Assessment
(CVE,OWASP)
[ZAP]
Push/Pull
Signed
Images
[OCP]

Iterative Secure Deployments and Day 2 Ops
Monitoring,
Automated
Compliance
Maintenance

Day-2 Ops Sample View from Ansible Tower
An incrediblyusefulsystem managementframeworkwhenappliedas a configurationmanagementtool
SOFTWARE SYSTEMS WORK AS ADVERTISED
●AutomatecompliancewithAnsible
●RedHatGovGitHubhasan 800-53rolethatyou canuseto apply
STIG settings
●https://github.com/RedHatGov/ansible-role-800-53
●Configuration Drift?Noproblem.Reruntheplaybookforcontinuous
compliance

BUILD
PULL
or
CREATE
LOAD SCAN SIGN
MONITOR
Git
INSPECT
Pre-receive
Hooks
With
Security
Compliance
Checks
[GitHub]
Static
Analysis
Security
Test
(SAST)
[SonarQube]
OPENSCAP
EVAL
&
REMEDIATE
Policy
Enforcement
For
Build
Artifacts
& Images
[OCP]
Image
Scanning
w/ tailored
profiles
[OpenSCAP]
[Clair]
Vulnerability
Assessment
(CVE,OWASP)
[ZAP]
Push/Pull
Signed
Images
[OCP]
CM
Drift
Prevention
& Metrics
[Ansible]
[OCP]

Cloud Accelerates DevOps
DevOps frameworks want:
• Consistency
• Agility
• Scalability
DevSecOps wants:
• Consistency
• Secure environment to build in
• Visibility

Secure Development Enclave
AWS GovCloud (US) is accredited by
DoD and FedRAMP up to
IL-5 (NSS)
True hyperscale cloud offering for
DoD/government
Inherit hundreds of 800-53 controls
Security built-in Enterprise: 423
Infrastructure: 11
Service: 187
App: 73

Benefits
• Agility
• Experiment in pre-accredited enclaves (Zone A/B), up and
running in minutes
• Scalability
• Deploy 1, 10, 100 nodes instantly – SPAWAR Systems Center
enables without difficult acquisition gate
• Breadth of Functionality
• AWS managed services, deep integration with Red Hat (service
broker)
• Cost
• Fail cheaply, learn faster

Speaker Contact
Rick Jack
Distinguished C4ISR
Software Engineer -
SSTM
Richard.jack@navy.mil
Phil Osip
Solution Architect, Red
Hat
posip@redhat.com
Rob Nolen
Solutions Architect, AWS
nolenr@amazon.com

Questions?

Thank you!

Modernizing Software Development in the US Navy

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Modernizing Software Development in the US Navy

Similar to Modernizing Software Development in the US Navy (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Modernizing Software Development in the US Navy