Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas [email protected] March 2019. The author's affiliation with The MITRE Corporation is provided for

Tackling RMF w/DevSecOps

Jennifer [email protected]

March 2019

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.Approved for Public Release; Distribution Unlimited. Public Release Case Number 19-0841

Agenda

Brief Reminder of What DevSecOps Is and Where Information Security Fits

Brief Case Study

Tidbits from Other Sponsors

Common SDLC Pattern

DevOps is about automating as much of the SDLC as possible to reduce delivery time, improve quality/security, and reduce re-work/fix cost

Image source: https://www.mountaingoatsoftware.com/presentations/an-introduction-to-scrum

What To Do? DevSecOps

Culture / MindsetAutomation Technology and Processes

Enabled by

Image sources: https://www.peakgrantmaking.org/blog/process-automation-new-black/https://martinfowler.com/bliki/DevOpsCulture.html

Development, Security, and Operations are one team

What Is the “Enabling”?

🤝🤝 Collaboration Between Stakeholders

🛣🛣 Infrastructure as Code

⚙ Automation of Processes

🔍🔍 Continuous Monitoring of applications and infrastructure

Different Model

Image source: IBM Research, Software Defined EnvironmentsIBM Federal Cloud Innovation Center

Culture - Align the people to DevSecOps

7

Developers Operations Include Security!

Image sources: https://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr/6-Spock_Scotty_Little_bit_weird, http://www.fanpop.com/clubs/star-trek-the-next-generation/images/9406774/title/lieutenant-worf-photo

What about Security (IA)?

Defined Good Results

DevSecOps

Image source: https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60

How One Government Agency Did It(and other tidbits)

“ATO-in-a-Day” aka “ATO at Hello” aka “Continuous ATO Enterprise Strategy: Agile SDLC -> Need security processes to meet speed

Defined security “playbook” and maturity model

RMF Policy Interpretation

How Can We Use Automation Output to Meet the Requirements? How can we maximize inheritance of controls?

Tailored security rigor and body of evidence requirements based on risk level

Provide Unclassified PAAS that meets ~80% of required security controls

Focus on supply chain – custom dependency checking of products moving low to high

Embed security DevOps engineer with enterprise DevOps team

Risk mgt staff (security assessors) culture change

PaaS Compared

Customization; higher costs; slower time to valueLarger Job Pool More Complex

Standardization; lower costs; faster time to value

Image source: https://www.oreilly.com/library/view/the-enterprise-cloud/9781491907832/ch01.html

System Eligibility

• Basic Criteria:• Leverage the provided PaaS Microservice Architecture• Build and deliver using the provided enterprise DevSecOps

Pipeline• Utilize APIs only for data calls

• Utilizing the enterprise provided resourcing = Inherit more than 80% of controls from common control provider

• “ATO-in-a-Day” applies to unclassified, Category 1-Minimum Viable Product applications (actually ATO in 30 days or less)

• TS/SCI applications may take an additional 30 days

DevSecOps Tool Selection Example

Configuration Mgt & Deploy

Security

Logging & Monitoring

+ + + +Agile PM

Source Code Mgt

Build Tools

ContinuousIntegration

+Artifact

Repository

+Testing

FrameworkProvisioning

+

ZAPinspec

Integrated Security Assessment

Questions?

16