DevSecOps Fundamentals Guidebook – Tools & Activities by American Deparment of Defense

Introduction
The goal of DevSecOps is to improve customer outcomes and mission value through the automation, monitoring, and application of security at every phase of the software lifecycle. Figure 1 DevSecOps Phases and Continuous Feedback Loops conveys the software lifecycle phases and continuous feedback loops.

image - CISO2CISO.COM & CYBER SECURITY GROUP

Practicing DevSecOps requires an array of purpose-built tools and a wide range of activities that rely on those tools. This document conveys the relationship between each DevSecOps phase, a taxonomy of supporting tools for a given phase, and the set of activities that occur at each phase cross-referenced to the tool(s) that support the specific activity.

Audience and Scope
The target audience for this document include:
• DoD Enterprise DevSecOps platform capability providers
• DoD DevSecOps teams
• DoD programs

DevSecOps Tools and Activities
The tools and activities that follow are common across all DevSecOps ecosystems.

All Activities and Tools are listed in table format throughout this document.
Tools tables identify specific categories of tooling required to support the proper operation of a software factory within a DevSecOps ecosystem. The tools captured are categorical, not specific commercial products and/or versions. Each program should identify and select tools that properly support their software development needs. When possible, DoD enterprise-wide tooling that has already either been approved or has obtained provisional authorization is preferred.
Tools tables include the below columns:
• Tool: A specific tool category
• Features: Common characteristics used to describe the tool category
• Benefits: Simple value-proposition of the tool category
• Inputs: Types of data collected by the tool category
• Outputs: Types of artifacts that result from using the tool category
• Baseline: Either a status of REQUIRED or PREFERRED, where required indicates that the tool must be available within the software factory as part of the Minimal Viable Product (MVP) release, and preferred indicates an aspirational capability obtained as the ecosystem matures

Specific reference designs may elevate a specific tool from PREFERRED to REQUIRED, as well as add additional tools and/or activities that specifically support the nuances of a given reference design. Reference designs cannot lower a tool listed in this document from required to preferred

Activity tables list a wide range of activities for DevSecOps practices. The activities captured here do not diminish the fact that each program should define their own unique processes, choose proper and meaningful activities, and select specific software factory tools suitable for their software development needs. The continuous process improvement that results from the DevSecOps continuous feedback loops and performance metrics aggregation should drive the increase of automation across each of these activities.
Activities tables include the below columns:
• Activities: Actions that occur within the specific DevSecOps phase
• Description: Simple explanation of the activity being performed
• Inputs: Types of data that feed the activity
• Outputs: Types of data that result from the activity
• Tool Dependencies: List of tool categories required to support the activity

Security Tools & Activities Cross Reference
Security is integrated into the core of the DevSecOps phases, weaved into the fabric that touches each phase depicted in Figure 1 DevSecOps Phases and Continuous Feedback Loops. This integrated and wrapped approach to security facilitates automated risk characterization, monitoring, and risk mitigation across the totality of the application lifecycle. Table 1: Security Activities Summary and Cross-Reference summarizes this security posture by representing all of the security activities, the linked DevSecOps phase, and the activities and tools references.
The “Ops” part of DevSecOps means that security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities are baked-in throughout each of the eight DevSecOps SDLC phases. Integration into these tools must be considered at every phase in order to properly practice DevSecOps. This requirement substantially differentiates DevSecOps from legacy ways of development software where integration was done after the fact using a “bolt-on” mentality.
Table 1: Security Activities Summary and Cross-Reference

image-1 - CISO2CISO.COM & CYBER SECURITY GROUP

image-2 - CISO2CISO.COM & CYBER SECURITY GROUP

Plan Tools and Activities
Planning tools support software development planning, which includes configuration management planning, change management planning, project management planning, system design, software design, test planning, and security planning. Some tools will be used throughout the software lifecycle, such as a team collaboration tool, an issue tracking system, and a project management system. Some tools are shared at the enterprise level across programs. Policy and enforcement strategy should be established for access controls on various tools.
Table 3: Plan Phase Tools lists the typical tools that assist the planning process. The activities supported by the plan phase are listed in Table 4: Plan Phase Activities. Some activities are suitable at enterprise or program level, such as DevSecOps ecosystem design, project team onboarding planning, and change management planning. Others fit at the project level and are considered continuous in the DevSecOps lifecycle.