Modeling DevSecOps to Reduce the Time-to-Deploy and Increase Resiliency
Software Engineering Institute
Many organizations struggle in applying DevSecOps practices and principles in a cybersecurity-constrained environment because programs lack a consistent basis for managing software intensive development, cybersecurity, and operations in a high-speed lifecycle. We will discuss how an authoritative reference, or Platform Independent Model (PIM), is needed to fully design and execute an integrated DevSecOps strategy in which all stakeholder needs are addressed, such as engineering security into all aspects of the DevSecOps pipeline to include both the pipeline and the deployed system. We will discuss how a PIM of a DevSecOps system can be used to
- Specify the DevSecOps requirements to the lead system integrators who need to develop a platform-specific solution that includes the system and CI/CD pipeline.
- Assess and analyze alternative pipeline functionality and feature changes as the system evolves.
- Apply DevSecOps methods to complex systems that do not follow well-established software architectural patterns used in industry.
- Provide a basis for threat and attack surface analysis to build a cyber assurance case in order to demonstrate that the software system and DevSecOps pipeline are sufficiently free from vulnerabilities and function only as intended
What attendees will learn
Plenty of guidelines exist to implement DevSecOps, but many of the decisions are left to each organization to implement and require a considerable amount of interpretation and often results in confusion. Attendees will understand how a DevSecOps PIM can be used to provide
- Consistent guidance and modeling capability that ensure all proper layers and development concerns are captured
- The model-based engineering of DevSecOps is included in the system model. This allows proper modeling of DevSecOps design trades resulting in less costly systems.
- Metrics and documentation of tradeoffs are captured and analyzed through the model-based engineering platform—PIM and will explicitly identify points that should be addressed or mitigated as well as mechanisms to manage coverage of the points. The model will provide dynamic matrices of whether those points were addressed, how they were addressed, and how well the corresponding (to the points) module is covered.
- Risk modeling against decisions and DevSecOps model-based engineering to ensure security controls and processes are properly selected and deployed.
About the Speaker
Aaron Reffett is a senior member of the technical staff in the CERT Cybersecurity Foundations directorate of the Software Engineering Institute (SEI). He develops and operates applications for the analysis of cyber-related data in support of Department of Defense (DoD) and Department of Homeland Security (DHS) missions. In addition, he …Read more
Nataliya Shevchenko is a senior member of the technical staff within the CERT Division of the Carnegie Mellon University Software Engineering Institute (CMU SEI). She specializes in system engineering, model-based system engineering (MBSE), and threat-modeling methods. She has a breadth of experience across the software development lifecycle for more than …Read more