Page 1
Tackling RMF w/DevSecOps
Jennifer [email protected]
March 2019
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.Approved for Public Release; Distribution Unlimited. Public Release Case Number 19-0841
Page 2
Agenda
Brief Reminder of What DevSecOps Is and Where Information Security Fits
Brief Case Study
Tidbits from Other Sponsors
Page 3
Common SDLC Pattern
DevOps is about automating as much of the SDLC as possible to reduce delivery time, improve quality/security, and reduce re-work/fix cost
Image source: https://www.mountaingoatsoftware.com/presentations/an-introduction-to-scrum
Page 4
What To Do? DevSecOps
Culture / MindsetAutomation Technology and Processes
Enabled by
Image sources: https://www.peakgrantmaking.org/blog/process-automation-new-black/https://martinfowler.com/bliki/DevOpsCulture.html
Development, Security, and Operations are one team
Page 5
What Is the “Enabling”?
🤝🤝 Collaboration Between Stakeholders
🛣🛣 Infrastructure as Code
⚙ Automation of Processes
🔍🔍 Continuous Monitoring of applications and infrastructure
Page 6
Different Model
Image source: IBM Research, Software Defined EnvironmentsIBM Federal Cloud Innovation Center
Page 7
Culture - Align the people to DevSecOps
7
Developers Operations Include Security!
Image sources: https://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr/6-Spock_Scotty_Little_bit_weird, http://www.fanpop.com/clubs/star-trek-the-next-generation/images/9406774/title/lieutenant-worf-photo
Page 8
What about Security (IA)?
Defined Good Results
Page 9
DevSecOps
Image source: https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60
Page 10
How One Government Agency Did It(and other tidbits)
Page 11
“ATO-in-a-Day” aka “ATO at Hello” aka “Continuous ATO Enterprise Strategy: Agile SDLC -> Need security processes to meet speed
Defined security “playbook” and maturity model
RMF Policy Interpretation
How Can We Use Automation Output to Meet the Requirements? How can we maximize inheritance of controls?
Tailored security rigor and body of evidence requirements based on risk level
Provide Unclassified PAAS that meets ~80% of required security controls
Focus on supply chain – custom dependency checking of products moving low to high
Embed security DevOps engineer with enterprise DevOps team
Risk mgt staff (security assessors) culture change
Page 12
PaaS Compared
Customization; higher costs; slower time to valueLarger Job Pool More Complex
Standardization; lower costs; faster time to value
Image source: https://www.oreilly.com/library/view/the-enterprise-cloud/9781491907832/ch01.html
Page 13
System Eligibility
• Basic Criteria:• Leverage the provided PaaS Microservice Architecture• Build and deliver using the provided enterprise DevSecOps
Pipeline• Utilize APIs only for data calls
• Utilizing the enterprise provided resourcing = Inherit more than 80% of controls from common control provider
• “ATO-in-a-Day” applies to unclassified, Category 1-Minimum Viable Product applications (actually ATO in 30 days or less)
• TS/SCI applications may take an additional 30 days
Page 14
DevSecOps Tool Selection Example
Configuration Mgt & Deploy
Security
Logging & Monitoring
+ + + +Agile PM
Source Code Mgt
Build Tools
ContinuousIntegration
+Artifact
Repository
+Testing
FrameworkProvisioning
+
ZAPinspec
Page 15
Integrated Security Assessment