Tackling RMF w/DevSecOps
Jennifer [email protected]
March 2019
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.Approved for Public Release; Distribution Unlimited. Public Release Case Number 19-0841
Agenda
Brief Reminder of What DevSecOps Is and Where Information Security Fits
Brief Case Study
Tidbits from Other Sponsors
Common SDLC Pattern
DevOps is about automating as much of the SDLC as possible to reduce delivery time, improve quality/security, and reduce re-work/fix cost
Image source: https://www.mountaingoatsoftware.com/presentations/an-introduction-to-scrum
What To Do? DevSecOps
Culture / MindsetAutomation Technology and Processes
Enabled by
Image sources: https://www.peakgrantmaking.org/blog/process-automation-new-black/https://martinfowler.com/bliki/DevOpsCulture.html
Development, Security, and Operations are one team
What Is the “Enabling”?
🤝🤝 Collaboration Between Stakeholders
🛣🛣 Infrastructure as Code
⚙ Automation of Processes
🔍🔍 Continuous Monitoring of applications and infrastructure
Different Model
Image source: IBM Research, Software Defined EnvironmentsIBM Federal Cloud Innovation Center
Culture - Align the people to DevSecOps
7
Developers Operations Include Security!
Image sources: https://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr/6-Spock_Scotty_Little_bit_weird, http://www.fanpop.com/clubs/star-trek-the-next-generation/images/9406774/title/lieutenant-worf-photo
What about Security (IA)?
Defined Good Results
DevSecOps
Image source: https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60
How One Government Agency Did It(and other tidbits)
“ATO-in-a-Day” aka “ATO at Hello” aka “Continuous ATO Enterprise Strategy: Agile SDLC -> Need security processes to meet speed
Defined security “playbook” and maturity model
RMF Policy Interpretation
How Can We Use Automation Output to Meet the Requirements? How can we maximize inheritance of controls?
Tailored security rigor and body of evidence requirements based on risk level
Provide Unclassified PAAS that meets ~80% of required security controls
Focus on supply chain – custom dependency checking of products moving low to high
Embed security DevOps engineer with enterprise DevOps team
Risk mgt staff (security assessors) culture change
PaaS Compared
Customization; higher costs; slower time to valueLarger Job Pool More Complex
Standardization; lower costs; faster time to value
Image source: https://www.oreilly.com/library/view/the-enterprise-cloud/9781491907832/ch01.html
System Eligibility
• Basic Criteria:• Leverage the provided PaaS Microservice Architecture• Build and deliver using the provided enterprise DevSecOps
Pipeline• Utilize APIs only for data calls
• Utilizing the enterprise provided resourcing = Inherit more than 80% of controls from common control provider
• “ATO-in-a-Day” applies to unclassified, Category 1-Minimum Viable Product applications (actually ATO in 30 days or less)
• TS/SCI applications may take an additional 30 days
DevSecOps Tool Selection Example
Configuration Mgt & Deploy
Security
Logging & Monitoring
+ + + +Agile PM
Source Code Mgt
Build Tools
ContinuousIntegration
+Artifact
Repository
+Testing
FrameworkProvisioning
+
ZAPinspec
Integrated Security Assessment
Questions?
16