tackling rmf w/devsecops - home - itea · tackling rmf w/devsecops jennifer rekas [email protected]...
TRANSCRIPT
![Page 1: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/1.jpg)
Tackling RMF w/DevSecOps
Jennifer [email protected]
March 2019
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.Approved for Public Release; Distribution Unlimited. Public Release Case Number 19-0841
![Page 2: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/2.jpg)
Agenda
Brief Reminder of What DevSecOps Is and Where Information Security Fits
Brief Case Study
Tidbits from Other Sponsors
![Page 3: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/3.jpg)
Common SDLC Pattern
DevOps is about automating as much of the SDLC as possible to reduce delivery time, improve quality/security, and reduce re-work/fix cost
Image source: https://www.mountaingoatsoftware.com/presentations/an-introduction-to-scrum
![Page 4: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/4.jpg)
What To Do? DevSecOps
Culture / MindsetAutomation Technology and Processes
Enabled by
Image sources: https://www.peakgrantmaking.org/blog/process-automation-new-black/https://martinfowler.com/bliki/DevOpsCulture.html
Development, Security, and Operations are one team
![Page 5: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/5.jpg)
What Is the “Enabling”?
🤝🤝 Collaboration Between Stakeholders
🛣🛣 Infrastructure as Code
⚙ Automation of Processes
🔍🔍 Continuous Monitoring of applications and infrastructure
![Page 6: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/6.jpg)
Different Model
Image source: IBM Research, Software Defined EnvironmentsIBM Federal Cloud Innovation Center
![Page 7: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/7.jpg)
Culture - Align the people to DevSecOps
7
Developers Operations Include Security!
Image sources: https://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr/6-Spock_Scotty_Little_bit_weird, http://www.fanpop.com/clubs/star-trek-the-next-generation/images/9406774/title/lieutenant-worf-photo
![Page 8: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/8.jpg)
What about Security (IA)?
Defined Good Results
![Page 9: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/9.jpg)
DevSecOps
Image source: https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60
![Page 10: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/10.jpg)
How One Government Agency Did It(and other tidbits)
![Page 11: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/11.jpg)
“ATO-in-a-Day” aka “ATO at Hello” aka “Continuous ATO Enterprise Strategy: Agile SDLC -> Need security processes to meet speed
Defined security “playbook” and maturity model
RMF Policy Interpretation
How Can We Use Automation Output to Meet the Requirements? How can we maximize inheritance of controls?
Tailored security rigor and body of evidence requirements based on risk level
Provide Unclassified PAAS that meets ~80% of required security controls
Focus on supply chain – custom dependency checking of products moving low to high
Embed security DevOps engineer with enterprise DevOps team
Risk mgt staff (security assessors) culture change
![Page 12: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/12.jpg)
PaaS Compared
Customization; higher costs; slower time to valueLarger Job Pool More Complex
Standardization; lower costs; faster time to value
Image source: https://www.oreilly.com/library/view/the-enterprise-cloud/9781491907832/ch01.html
![Page 13: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/13.jpg)
System Eligibility
• Basic Criteria:• Leverage the provided PaaS Microservice Architecture• Build and deliver using the provided enterprise DevSecOps
Pipeline• Utilize APIs only for data calls
• Utilizing the enterprise provided resourcing = Inherit more than 80% of controls from common control provider
• “ATO-in-a-Day” applies to unclassified, Category 1-Minimum Viable Product applications (actually ATO in 30 days or less)
• TS/SCI applications may take an additional 30 days
![Page 14: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/14.jpg)
DevSecOps Tool Selection Example
Configuration Mgt & Deploy
Security
Logging & Monitoring
+ + + +Agile PM
Source Code Mgt
Build Tools
ContinuousIntegration
+Artifact
Repository
+Testing
FrameworkProvisioning
+
ZAPinspec
![Page 15: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/15.jpg)
Integrated Security Assessment
![Page 16: Tackling RMF w/DevSecOps - Home - ITEA · Tackling RMF w/DevSecOps Jennifer Rekas jrekas@mitre.org March 2019. The author's affiliation with The MITRE Corporation is provided for](https://reader034.vdocument.in/reader034/viewer/2022042313/5edc73ebad6a402d66671db4/html5/thumbnails/16.jpg)
Questions?
16