Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments
April 2020 • Technical Report
Jose A. Morales, Richard Turner, Suzanne Miller, Peter Capell, Patrick R. Place, David James Shepard
This Technical Report provides guidance to projects interested in implementing DevSecOps (DSO) in defense or other highly regulated environments, including those involving systems of systems.
Software Engineering Institute
CMU/SEI Report Number
DOI (Digital Object Identifier):10.1184/R1/12363770.v1
DevSecOps (DSO) is an approach that integrates development (Dev), security (Sec), and delivery/operations (Ops) of software systems to reduce the time from need to capability and provide continuous integration and continuous delivery (CI/CD) with high software quality. The rapid acceptance and demonstrated effectiveness of DSO in software system development have led to proposals for its adoption in more complex projects. This document provides guidance to projects interested in implementing DSO in defense or other highly regulated environments, including those involving systems of systems.
The report provides rationale for adopting DSO and the dimensions of change required for that adoption. It introduces DSO, its principles, operations, and expected benefits. It describes objectives and activities needed to implement the DSO ecosystem, including preparation, establishment, and management. Preparation is necessary to create achievable goals and expectations and to establish feasible increments for building the ecosystem. Establishing the ecosystem includes evolving the culture, automation, processes, and system architecture from their initial state toward an initial capability. Managing the ecosystem includes measuring and monitoring both the health of the ecosystem and the performance of the organization. Additional information on the conceptual foundations of the DSO approach is also provided.