Requirements Gathering for a Successful Rugged DevOps Implementation

HasanYasar|TechnicalManager|SoftwareEngineeringInstitute- CMU

Getmyslidesimmediately

community@alldaydevops.com

Copyright2017CarnegieMellonUniversity

ThismaterialisbaseduponworkfundedandsupportedbytheDepartmentofDefenseunderContractNo.FA8721-05-C-0003withCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenter.

Anyopinions,findingsandconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheUnitedStatesDepartmentofDefense.

NOWARRANTY.THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN“AS-IS”BASIS.CARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL.CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.

[DistributionStatementA]Thismaterialhasbeenapprovedforpublicreleaseandunlimiteddistribution.PleaseseeCopyrightnoticefornon-USGovernmentuseanddistribution.

Thismaterialmaybereproducedinitsentirety,withoutmodification,andfreelydistributedinwrittenorelectronicformwithoutrequestingformalpermission.Permissionisrequiredforanyotheruse.RequestsforpermissionshouldbedirectedtotheSoftwareEngineeringInstituteatpermission@sei.cmu.edu .

CarnegieMellon® and CERT® areregisteredmarksofCarnegieMellonUniversity.

DM-0004478

TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation

People,Process,PlatformAutomatedIntegratedDevelopmentPipeline

Background

• TheSoftwareEngineeringInstitute(SEI)isaFederallyFundedResearchandDevelopmentCenter(FFRDC)

• Researchandpracticeinsoftwaredevelopment,acquisition,andmaintenancepractices

• AssistednumerousgovernmentorganizationsinmodernizingtheirsoftwaredevelopmentpracticesinthespiritofDevOpsprinciples.

• Applicationsecurityistheprinciplequalityattributeofthesoftwaretheyproduce.

CommonquestionHowcanIimplementedRuggedDevOpsprocessandplatforminmyteam/directorate/project/organization/unit… ?

Howtoassessthecurrentstate?Wherearetheproductivitybottlenecks?Whomtotrainonwhat?Whatandhowtomeasure?Howtomonitor?

TheRuggedManifestoIamruggedand,moreimportantly,mycodeisrugged.

Irecognizethatsoftware hasbecomeafoundationofourmodernworld.

Irecognizetheawesomeresponsibility thatcomeswiththisfoundationalrole.IrecognizethatmycodewillbeusedinwaysIcannotanticipate,inwaysitwasnotdesigned,andforlonger

thanitwaseverintended.

Irecognizethatmycodewillbeattackedbytalentedandpersistentadversaries whothreaten ourphysical,economicandnationalsecurity.

Irecognizethesethings– andIchoosetoberugged.

IamruggedbecauseIrefusetobeasourceofvulnerabilityorweakness.IamruggedbecauseIassuremycodewillsupportitsmission.

Iamruggedbecausemycodecanfacethesechallengesandpersistinspiteofthem.

Iamrugged,notbecauseitiseasy,butbecauseitisnecessary andIamupforthechallenge.

TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation

People,Process,PlatformAutomatedIntegratedDevelopmentPipeline

CommonPitfalls

HELP!

Whatwentwrong?

• DevOpsis– AFAD– Onlyabouttooling– AProduct– OnlyaboutDevandOps– Sameforallorgs– Onlycontinuesintegration/deployment– Neworganizationalunit

TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation

People,Process,PlatformAutomatedIntegratedDevelopmentPipeline

CurrentStateAssessment

• InterviewwithfunctionalleadsfromkeyareasrelatedtoApplicationDevelopment.

• Reviewof:– Validationofstatements(e.g.,throughobservations

oftheworkenvironmentorshadowing)– Demonstrationsofanysoftwaretoolsusedfor

automationofsoftwaredevelopmentanddeployment

– Culturalperspectiverelatedto developmentevolutionandSecurityteam

– Legal,RiskManagementandallstakeholders

AssessmentPlan

1. Agreeondefinitions(DevOps,DevSecOps)andprocess2. Identifystakeholders3. Performinterviewoneachteam4. Identifyandanalyzetechnicaltoolstack5. Collectkeymetricsandestablishmeasurement6. Identifygapareasanddeveloparoadmap7. Selectsuitableprojecttoimplement:Build,Learn,evaluate

AssessmentProcess

• Schedulinganinterviewwithteams• AnonymousSurvey• Analyzeoutcomes• Providefeedbacktotheteams• Brief theexecutiveteam

IdentifyStakeholders

DevelopersDeployment

Maintenance

Security

Programming

Infrastructure

Scalability

Networks

FunctionalRequirements

Performance

Testing

UserInterface

TechnicalDocumentation

Updates

CodeReview

ReleaseReview

UserDocumentation

DataPrivacy

IntrusionDetection

UserRequirements

BusinessConstraints

LegalIssues

MarketNeeds

Budgets/Timelines

Monitoring

Incidentresponse

ITOperations

Deployment

Maintenance

Security

Programming

Infrastructure

Scalability

Networks

FunctionalRequirements

Performance

Testing

UserInterface

TechnicalDocumentation

Updates

CodeReview

ReleaseReview

UserDocumentation

DataPrivacy

IntrusionDetection

UserRequirements

BusinessConstraints

LegalIssues

MarketNeeds

Budgets/Timelines

Monitoring

Incidentresponse

QualityAssurance

Deployment

Maintenance

Security

Programming

Infrastructure

Scalability

Networks

FunctionalRequirements

Performance

Testing

UserInterface

TechnicalDocumentation

Updates

CodeReview

ReleaseReview

UserDocumentation

DataPrivacy

IntrusionDetection

UserRequirements

BusinessConstraints

LegalIssues

MarketNeeds

Budgets/Timelines

Monitoring

Incidentresponse

BusinessAnalyst

Deployment

Maintenance

Security

Programming

Infrastructure

Scalability

Networks

FunctionalRequirements

Performance

Testing

UserInterface

TechnicalDocumentation

Updates

CodeReview

ReleaseReview

UserDocumentation

DataPrivacy

IntrusionDetection

UserRequirements

BusinessConstraints

LegalIssues

MarketNeeds

Budgets/Timelines

Monitoring

Incidentresponse

InformationSecurity

Deployment

Maintenance

Security

Programming

Infrastructure

Scalability

Networks

FunctionalRequirements

Performance

Testing

UserInterface

TechnicalDocumentation

Updates

CodeReview

ReleaseReview

UserDocumentation

DataPrivacy

IntrusionDetection

UserRequirements

BusinessConstraints

LegalIssues

MarketNeeds

Budgets/Timelines

Monitoring

Incidentresponse

Assessment– BusinessAnalyst/PM

• Requirementsdevelopment&management• Acquisition&contractingprocess• Riskmanagementprocess• Compliancesrequirements• ProjectPlanningandtracking

Assessment– Developer

• Developmentmethodology– agile,waterfall,SAFe,EP,Lean,orcowboycoding

• Developmentenvironments• Taskassignment/management/completion• Collaborationwithother(internal/external)teams

Assessment– QualityAssurance

• Softwaretestingmethodologies• Software{quality}assurance• Compliancesverification• Auditrequirements• Feedbacktodevteam

Assessment– Deployment/Release

• Softwareconfigurationmanagement• Integrationprocess• Softwareverificationandvalidationprocess• Softwarereviewandauditprocess• Securing thedeploymentpipeline

Assessment– ITOperations

• Softwareoperationalprocess• Teamengagement• Policyknowledgemanagement• Assetsmanagement• ITgovernance• Servicemanagement• Auditandmonitoring

Assessment– InformationSecurity

• Management andauditingsupplychain• Securitycontrols• Securitypolices(compliancerequirements)• Applicationsecuritytesting• Productsecuritymanagement(PSIRT)• Securityawarenesstrainingandknowledgemanagement

Assessment– TechnologyStack

• Developmentlanguageandtools• ITsolutionstack• Enterprisesupportservices• Legacysystems• Applicationdevelopmentsupporttools• Softwarereuseprocess• Accreditationandapprovalprocess

IdentifyMetricsandMeasurement

• Softwaremetrics• Qualitymetrics• Checkpointdiagnostic

– Qualitativeprocessbaseline– Quantitativeperformancebaseline– Benchmarkperformancecomparison

• Defineend-goalasbeingRugged:Whatthatmeanstoallstakeholders

Identify SuitableProject

• Select{neworexisting}projectaspilot– Moststakeholdersinvolvement– Minimizerisktobusiness– Abilitylearn/develop/implementsecurityintheprocess– Scalabletotheorganization

TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandEvaluation

People,Process,PlatformAutomatedIntegratedDevelopmentPipeline

Feedbacktotheteam

• Collaborateallteamleads• Shareidentifiedrequirements• Categorizeandprioritizethe

requirements• Collectivelydevelopan

implementationplan:People+Process+Platform

People

• Heavycollaborationbetweenallstakeholders– SecureDesign/Architecturedecisions– SecureEnvironment/Networkconfiguration– SecureDeploymentplanning– SecureCodeReview

• Constantlyavailableopencommunicationchannels:– DevandOpSec togetherinallprojectdecisionmeeting– Chat/e-mail/Wikiservicesavailabletoallteam

members

Process• Establishaprocess toenablepeople tosucceed

usingtheplatformtodevelopRuggedapplication

• Suchthat;• Constantcommunicationandvisibletoall• Ensuresthattasksaretestableand

repeatable• Freesuphumanexpertstodochallenging,

creativework• Allowstaskstobeperformedwithminimal

effortorcost• Createsconfidenceintasksuccess,afterpast

repetitions• Fasterdeployment,frequentqualityrelease

Platform

• Wherepeople useprocess tobuildruggedsoftware

• Automatedenvironmentcreationandprovisioning

• Automatedinfrastructuretesting• ParitybetweenDevelopment,QA,Staging,

andProductionenvironments• Sharingandversioningofenvironmental

configurations• Collaborativeenvironmentbetweenall

stakeholders

RuggedContinued…

• Culture– NOTatool,SDLC,ororgstructure

• Rugged!=Secure- secureisonlyaninstantintime

• Proactivesecurityisbetterthanreactive– Reactivewillfaileventually

Culture

ProcessandPractices

SystemandArchitecture

Automationand

Measurement

RuggedDevOpsonSecurity Culture• Developer and OpSec

collaborate • Developers and OpSec

support releases beyond deployment

• Dev and OpSec have access to stakeholders who understand business and mission goals

Security Automation /Measurement• Automate repetitive and error-

prone tasks (e.g., build, testing, and deployment maintain consistent environments)

• Static and dynamic security analysis automation

• Performance dashboards

Security in Process and Practices• Secure Pipeline streamlining• Continuous-delivery practices (e.g.,

continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)

Secure System and Architecture• Architected to support test

automation and continuous-integration goals

• Applications that support changes without release (e.g., late binding)

• Scalable, secure, reliable, etc.

TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandEvaluation

People,Process,PlatformAutomatedIntegratedDevelopmentPipeline

ContinuousIntegration(CI)Model

Integrationandcommunication,evenamongtools,isthekey!

Humanactions/inputstothesoftwaredevelopmentprocess

Actionsperformedbyautonomoussystems

TaketheDevSecOps Surveybit.ly/DevSecOps-2017

Oursponsorsspeakyourlanguage…DevOps.

MoreonSEIDevOpsBloghttps://insights.sei.cmu.edu/devops

ThankYou!

HasanYasarTechnicalManager,SecureLifecycleSolutionshyasar@sei.cmu.edu@securelifecycle

WebResources(CERT/SEI)

http://www.cert.org/

http://www.sei.cmu.edu/