Modeling DevSecOps to Reduce the Time-to-Deploy and Increase Resiliency
March 2021 • Webinar
Joseph D. Yankel, Aaron K. Reffett, Nataliya Shevchenko
In this webcast, we discuss why an authoritative reference, or Platform Independent Model, is needed to design an integrated DevDevSecOps strategy.
Software Engineering Institute
Many organizations struggle in applying DevSecOps practices and principles in a cybersecurity-constrained environment because programs lack a consistent basis for managing software intensive development, cybersecurity, and operations in a high-speed lifecycle. We will discuss how an authoritative reference, or Platform Independent Model (PIM), is needed to fully design and execute an integrated DevSecOps strategy in which all stakeholder needs are addressed, such as engineering security into all aspects of the DevSecOps pipeline to include both the pipeline and the deployed system. We will discuss how a PIM of a DevSecOps system can be used to
- Specify the DevSecOps requirements to the lead system integrators who need to develop a platform-specific solution that includes the system and CI/CD pipeline.
- Assess and analyze alternative pipeline functionality and feature changes as the system evolves.
- Apply DevSecOps methods to complex systems that do not follow well-established software architectural patterns used in industry.
- Provide a basis for threat and attack surface analysis to build a cyber assurance case in order to demonstrate that the software system and DevSecOps pipeline are sufficiently free from vulnerabilities and function only as intended
What attendees will learn
Plenty of guidelines exist to implement DevSecOps, but many of the decisions are left to each organization to implement and require a considerable amount of interpretation and often results in confusion. Attendees will understand how a DevSecOps PIM can be used to provide
- Consistent guidance and modeling capability that ensure all proper layers and development concerns are captured
- The model-based engineering of DevSecOps is included in the system model. This allows proper modeling of DevSecOps design trades resulting in less costly systems.
- Metrics and documentation of tradeoffs are captured and analyzed through the model-based engineering platform—PIM and will explicitly identify points that should be addressed or mitigated as well as mechanisms to manage coverage of the points. The model will provide dynamic matrices of whether those points were addressed, how they were addressed, and how well the corresponding (to the points) module is covered.
- Risk modeling against decisions and DevSecOps model-based engineering to ensure security controls and processes are properly selected and deployed.