DevSecOps Best Practices Guide Final Version 1.0 January 2020 This document was prepared for authorized distribution only. It has not been approved for public release. Final Record of Changes Record of Changes Version Date Author / Owner Description of Change 1.0 January 2020 MITRE Initial Draft 1.0 January 26, 2020 MITRE Initial Version CR # CR: Change Request DevSecOps Best Practices Guide Version 1.0 ii January 2020 Final Executive Summary Executive Summary Application development programs leverage Agile and DevOps software development methodologies to support the continuous integration and continuous delivery required for their business solutions. At the same time, systems continue to be a primary target for bad actors due to the sensitive nature of mission data. DevSecOps accelerates delivery by automating the required security and privacy processes for threat modeling, generating security and privacy documentation artifacts, change and source control management, static and dynamic code analysis, infrastructure hardening and least functionality checks. This document describes proposed best practices (e.g., standards, processes, and technologies) to ensure that trusted applications and solutions are securely developed and continuously delivered to end users. DevSecOps Best Practices include: • Security Validation as Code – Testing standards, testing content (code), and automation tools to effectively know “is it secure?” • Documentation as Code – Testing standards, testing content (code), and automation tools to effectively know “how am I secure?” to help maintain System Security Plan (SSP) documentation. • Change Management Auditing – Processes to foresee significant security testing changes in a Sprint (Security Impact Analysis), and pipeline auditing to track unauthorized changes during builds. Answers the question: “what changed?” • Reporting – Reporting and integration requirements to comply with stakeholder use of security data from the DevSecOps lifecycle. Stakeholders include developers, Information System Security Officers (ISSOs), Security Assessors, security operations center staff, and Federal Information Security Modernization Act (FISMA) reporting teams. • Operational Analytics – Best practice process to engineer application audit log triggers during development to detect anomalies during operations and use this data to adapt to and plan for the next application development Sprint. • DevSecOps Process Improvement – Describes what to measure and how to analyze the data to constantly improve the project’s DevSecOps process. Improve future builds using metrics and measures of security debt, unauthorized changes during development, and detection of anomalies during operation. DevSecOps Best Practices Guide Version 1.0 iii January 2020 Final Table of Contents Table of Contents 1. Introduction .............................................................................................................. 1 1.1 1.2 1.3 1.4 1.5 Background .................................................................................................................. 1 Purpose ........................................................................................................................ 1 Scope ........................................................................................................................... 2 Audience ...................................................................................................................... 2 Document Organization/Approach ............................................................................... 2 2. Goals and Objectives ................................................................................................ 3 2.1 2.2 Benefits of DevSecOps ................................................................................................ 3 Constraints ................................................................................................................... 3 3. Exemplar DevSecOps ............................................................................................... 4 3.1 3.2 3.3 3.4 3.5 Top Qualities of DevOps .............................................................................................. 4 Top Qualities of an Exemplar DevSecOps Framework ................................................. 5 Value of Building Security into DevOps ..............................................