Software development within the federal government often begins with an alignment to the Authorizations to Operate (ATO) and related, required security processes. Sometimes, these are an impediment to DevSecOps. So how can teams implement sound DevSecOps into an environment with strict controls and processes?
Hasan Yasar works in Secure Lifecycle Solutions at the Software Engineering Institute at Carnegie Mellon University (@securelifecycle). They are working on implementing Continuous Authorization as a more secure and DevSecOps-friendly process. He presented on this topic in Continuous Authorization With DevSecOps at the All Day DevOps conference.
Hasan began by making the case for DevOps, including covering four fundamental principles:
Implementing these well is the goal of DevOps. Continuous Authorization is another evolution in the process. Continuous Authorization “changes the perspective of authentication from an event to a process”, says Frank Dickson, a research director at IDC, a global market intelligence firm. Dynamic authentication examines attributes that change and continually looks to validate the authentication.
Continuous Authorization makes systems more secure because it:
Continuous Authorization eliminates the error-prone human checking through the pages-long Excel spreadsheet of security requirements. It also continuously monitors the system to ensure compliance with the requirements.
Applying Continuous Authorization begins with seeing the application lifecycle through the DevOps mindset. This includes security automation with IaC, Continuous Integration, and Continuous Deployment. Hasan illustrated how Continuous Authorization integrates at each step in a DevOps Factory.
The DevOps Factory runs from feature request to deployment. It is iterative and incremental development, includes automation in every phase, provides continuous feedback, metrics, and measurement, is transparent and traceable, and engages with all stakeholders.
Hasan walked through how Continuous Authorization plays out in each phase of DevOps.
The federal government developed a standard for this process. It is the Risk Management Framework (RMF), based on NIST 800-37. Hasan states that the RMF, “provides a disciplined and structured process that integrates information security and risk management activities into the system development lifecycle.”
It is a continuous process - a key requirement for DevOps - that has six steps:
Adhering to the RMF by using Continuous Authorization is covered in more detail in Hasan’s full presentation, below.
Register for the next All DayDevOps, November 6, 2019. It will be a day to discuss security, CI/CD, cloud native infrastructure, cultural transformation, site reliability engineering, and other interesting topics.