Date post: | 21-Feb-2017 |
Category: |
Technology |
Upload: | seniorstoryteller |
View: | 89 times |
Download: | 0 times |
Requirements Gathering for a Successful Rugged DevOps Implementation
HasanYasar|TechnicalManager|SoftwareEngineeringInstitute- CMU
Copyright2017CarnegieMellonUniversity
ThismaterialisbaseduponworkfundedandsupportedbytheDepartmentofDefenseunderContractNo.FA8721-05-C-0003withCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenter.
Anyopinions,findingsandconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheUnitedStatesDepartmentofDefense.
NOWARRANTY.THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN“AS-IS”BASIS.CARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL.CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.
[DistributionStatementA]Thismaterialhasbeenapprovedforpublicreleaseandunlimiteddistribution.PleaseseeCopyrightnoticefornon-USGovernmentuseanddistribution.
Thismaterialmaybereproducedinitsentirety,withoutmodification,andfreelydistributedinwrittenorelectronicformwithoutrequestingformalpermission.Permissionisrequiredforanyotheruse.RequestsforpermissionshouldbedirectedtotheSoftwareEngineeringInstituteatpermission@sei.cmu.edu .
CarnegieMellon® and CERT® areregisteredmarksofCarnegieMellonUniversity.
DM-0004478
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
Background
• TheSoftwareEngineeringInstitute(SEI)isaFederallyFundedResearchandDevelopmentCenter(FFRDC)
• Researchandpracticeinsoftwaredevelopment,acquisition,andmaintenancepractices
• AssistednumerousgovernmentorganizationsinmodernizingtheirsoftwaredevelopmentpracticesinthespiritofDevOpsprinciples.
• Applicationsecurityistheprinciplequalityattributeofthesoftwaretheyproduce.
CommonquestionHowcanIimplementedRuggedDevOpsprocessandplatforminmyteam/directorate/project/organization/unit… ?
Howtoassessthecurrentstate?Wherearetheproductivitybottlenecks?Whomtotrainonwhat?Whatandhowtomeasure?Howtomonitor?
TheRuggedManifestoIamruggedand,moreimportantly,mycodeisrugged.
Irecognizethatsoftware hasbecomeafoundationofourmodernworld.
Irecognizetheawesomeresponsibility thatcomeswiththisfoundationalrole.IrecognizethatmycodewillbeusedinwaysIcannotanticipate,inwaysitwasnotdesigned,andforlonger
thanitwaseverintended.
Irecognizethatmycodewillbeattackedbytalentedandpersistentadversaries whothreaten ourphysical,economicandnationalsecurity.
Irecognizethesethings– andIchoosetoberugged.
IamruggedbecauseIrefusetobeasourceofvulnerabilityorweakness.IamruggedbecauseIassuremycodewillsupportitsmission.
Iamruggedbecausemycodecanfacethesechallengesandpersistinspiteofthem.
Iamrugged,notbecauseitiseasy,butbecauseitisnecessary andIamupforthechallenge.
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
CommonPitfalls
HELP!
Whatwentwrong?
• DevOpsis– AFAD– Onlyabouttooling– AProduct– OnlyaboutDevandOps– Sameforallorgs– Onlycontinuesintegration/deployment– Neworganizationalunit
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
CurrentStateAssessment
• InterviewwithfunctionalleadsfromkeyareasrelatedtoApplicationDevelopment.
• Reviewof:– Validationofstatements(e.g.,throughobservations
oftheworkenvironmentorshadowing)– Demonstrationsofanysoftwaretoolsusedfor
automationofsoftwaredevelopmentanddeployment
– Culturalperspectiverelatedto developmentevolutionandSecurityteam
– Legal,RiskManagementandallstakeholders
AssessmentPlan
1. Agreeondefinitions(DevOps,DevSecOps)andprocess2. Identifystakeholders3. Performinterviewoneachteam4. Identifyandanalyzetechnicaltoolstack5. Collectkeymetricsandestablishmeasurement6. Identifygapareasanddeveloparoadmap7. Selectsuitableprojecttoimplement:Build,Learn,evaluate
AssessmentProcess
• Schedulinganinterviewwithteams• AnonymousSurvey• Analyzeoutcomes• Providefeedbacktotheteams• Brief theexecutiveteam
IdentifyStakeholders
DevelopersDeployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
ITOperations
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
QualityAssurance
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
BusinessAnalyst
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
InformationSecurity
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
Assessment– BusinessAnalyst/PM
• Requirementsdevelopment&management• Acquisition&contractingprocess• Riskmanagementprocess• Compliancesrequirements• ProjectPlanningandtracking
Assessment– Developer
• Developmentmethodology– agile,waterfall,SAFe,EP,Lean,orcowboycoding
• Developmentenvironments• Taskassignment/management/completion• Collaborationwithother(internal/external)teams
Assessment– QualityAssurance
• Softwaretestingmethodologies• Software{quality}assurance• Compliancesverification• Auditrequirements• Feedbacktodevteam
Assessment– Deployment/Release
• Softwareconfigurationmanagement• Integrationprocess• Softwareverificationandvalidationprocess• Softwarereviewandauditprocess• Securing thedeploymentpipeline
Assessment– ITOperations
• Softwareoperationalprocess• Teamengagement• Policyknowledgemanagement• Assetsmanagement• ITgovernance• Servicemanagement• Auditandmonitoring
Assessment– InformationSecurity
• Management andauditingsupplychain• Securitycontrols• Securitypolices(compliancerequirements)• Applicationsecuritytesting• Productsecuritymanagement(PSIRT)• Securityawarenesstrainingandknowledgemanagement
Assessment– TechnologyStack
• Developmentlanguageandtools• ITsolutionstack• Enterprisesupportservices• Legacysystems• Applicationdevelopmentsupporttools• Softwarereuseprocess• Accreditationandapprovalprocess
IdentifyMetricsandMeasurement
• Softwaremetrics• Qualitymetrics• Checkpointdiagnostic
– Qualitativeprocessbaseline– Quantitativeperformancebaseline– Benchmarkperformancecomparison
• Defineend-goalasbeingRugged:Whatthatmeanstoallstakeholders
Identify SuitableProject
• Select{neworexisting}projectaspilot– Moststakeholdersinvolvement– Minimizerisktobusiness– Abilitylearn/develop/implementsecurityintheprocess– Scalabletotheorganization
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandEvaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
Feedbacktotheteam
• Collaborateallteamleads• Shareidentifiedrequirements• Categorizeandprioritizethe
requirements• Collectivelydevelopan
implementationplan:People+Process+Platform
People
• Heavycollaborationbetweenallstakeholders– SecureDesign/Architecturedecisions– SecureEnvironment/Networkconfiguration– SecureDeploymentplanning– SecureCodeReview
• Constantlyavailableopencommunicationchannels:– DevandOpSec togetherinallprojectdecisionmeeting– Chat/e-mail/Wikiservicesavailabletoallteam
members
Process• Establishaprocess toenablepeople tosucceed
usingtheplatformtodevelopRuggedapplication
• Suchthat;• Constantcommunicationandvisibletoall• Ensuresthattasksaretestableand
repeatable• Freesuphumanexpertstodochallenging,
creativework• Allowstaskstobeperformedwithminimal
effortorcost• Createsconfidenceintasksuccess,afterpast
repetitions• Fasterdeployment,frequentqualityrelease
Platform
• Wherepeople useprocess tobuildruggedsoftware
• Automatedenvironmentcreationandprovisioning
• Automatedinfrastructuretesting• ParitybetweenDevelopment,QA,Staging,
andProductionenvironments• Sharingandversioningofenvironmental
configurations• Collaborativeenvironmentbetweenall
stakeholders
RuggedContinued…
• Culture– NOTatool,SDLC,ororgstructure
• Rugged!=Secure- secureisonlyaninstantintime
• Proactivesecurityisbetterthanreactive– Reactivewillfaileventually
Culture
ProcessandPractices
SystemandArchitecture
Automationand
Measurement
RuggedDevOpsonSecurity Culture• Developer and OpSec
collaborate • Developers and OpSec
support releases beyond deployment
• Dev and OpSec have access to stakeholders who understand business and mission goals
Security Automation /Measurement• Automate repetitive and error-
prone tasks (e.g., build, testing, and deployment maintain consistent environments)
• Static and dynamic security analysis automation
• Performance dashboards
Security in Process and Practices• Secure Pipeline streamlining• Continuous-delivery practices (e.g.,
continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)
Secure System and Architecture• Architected to support test
automation and continuous-integration goals
• Applications that support changes without release (e.g., late binding)
• Scalable, secure, reliable, etc.
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandEvaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
ContinuousIntegration(CI)Model
Integrationandcommunication,evenamongtools,isthekey!
Humanactions/inputstothesoftwaredevelopmentprocess
Actionsperformedbyautonomoussystems
TaketheDevSecOps Surveybit.ly/DevSecOps-2017
Oursponsorsspeakyourlanguage…DevOps.
MoreonSEIDevOpsBloghttps://insights.sei.cmu.edu/devops
ThankYou!
HasanYasarTechnicalManager,[email protected]@securelifecycle
WebResources(CERT/SEI)
http://www.cert.org/
http://www.sei.cmu.edu/