Professional Documents
Culture Documents
UNCLASSIFIED CLEARED
For Open Publication
Department of Defense
OFFICE OF PREPUBLICATION AND SECURITY REVIEW
DevSecOps
Fundamentals
Guidebook:
DevSecOps Tools & Activities
September 2021
Version 2.1
This document automatically expires 1-year from publication date unless revised.
1
UNCLASSIFIED
Unclassified
UNCLASSIFIED
i
UNCLASSIFIED
UNCLASSIFIED
Trademark Information
Names, products, and services referenced within this document may be the trade names,
trademarks, or service marks of their respective owners. References to commercial vendors and
their products or services are provided strictly as a convenience to our readers, and do not
constitute or imply endorsement by the Department of any non-Federal entity, event, product,
service, or enterprise.
ii
UNCLASSIFIED
UNCLASSIFIED
Contents
1 Introduction ......................................................................................................................... 1
1.1 Audience and Scope .................................................................................................... 1
2 DevSecOps Tools and Activities ......................................................................................... 2
2.1 Security Tools & Activities Cross Reference ................................................................ 3
2.2 Plan Tools and Activities .............................................................................................. 5
2.3 Develop Tools and Activities .......................................................................................10
2.4 Build Tools and Activities ............................................................................................14
2.5 Test Tools and Activities .............................................................................................17
2.6 Release & Deliver Tools and Activities ........................................................................23
2.7 Deploy Tools and Activities .........................................................................................26
2.7.1 Virtual Machine Deployment ................................................................................26
2.7.2 Container Deployment .........................................................................................26
2.8 Operate Tools and Activities .......................................................................................29
2.9 Monitor Tools and Activities ........................................................................................31
2.10 Configuration Management Tools and Activities Cross-Reference ..............................36
Figures
Figure 1 DevSecOps Phases and Continuous Feedback Loops ................................................ 1
iii
UNCLASSIFIED
UNCLASSIFIED
Tables
Table 1: Security Activities Summary and Cross-Reference....................................................... 3
Table 2 Specific Security Tools Common to All DevSecOps Reference Designs ....................... 4
Table 3: Plan Phase Tools ......................................................................................................... 6
Table 4: Plan Phase Activities .................................................................................................... 8
Table 5: Develop Phase Tools ..................................................................................................11
Table 6: Develop Phase Activities .............................................................................................12
Table 7: Build Phase Tools .......................................................................................................15
Table 8: Build Phase Activities ..................................................................................................16
Table 9: Test Phase Tools ........................................................................................................18
Table 10: Test Phase Activities .................................................................................................20
Table 11: Release and Deliver Phase Tools .............................................................................24
Table 12: Release and Deliver Phase Activities ........................................................................25
Table 13: Deploy Phase Tools ..................................................................................................27
Table 14: Deploy Phase Activities .............................................................................................28
Table 15: Operate Phase Tools ................................................................................................30
Table 16: Operate Phase Activities ...........................................................................................30
Table 17: Monitor Phase Tools .................................................................................................32
Table 18: Monitor Phase Activities ............................................................................................35
Table 19: Configuration Management Activities Summary and Cross-Reference ......................37
iv
UNCLASSIFIED
UNCLASSIFIED
1 Introduction
The goal of DevSecOps is to improve customer outcomes and mission value through the
automation, monitoring, and application of security at every phase of the software lifecycle.
Figure 1 DevSecOps Phases and Continuous Feedback Loops conveys the software lifecycle
phases and continuous feedback loops.
Practicing DevSecOps requires an array of purpose-built tools and a wide range of activities that
rely on those tools. This document conveys the relationship between each DevSecOps phase, a
taxonomy of supporting tools for a given phase, and the set of activities that occur at each
phase cross-referenced to the tool(s) that support the specific activity.
The Tools and Activities that follow are foundational, but incomplete when considered in
isolation. Each DoD Enterprise DevSecOps Reference Architecture additively defines the
complete set of Tools and Activities required to achieve a specific DevSecOps
implementation.
1
UNCLASSIFIED
UNCLASSIFIED
Specific reference designs may elevate a specific tool from PREFERRED to REQUIRED, as
well as add additional tools and/or activities that specifically support the nuances of a given
reference design. Reference designs cannot lower a tool listed in this document from required
to preferred.
Activity tables list a wide range of activities for DevSecOps practices. The activities captured
here do not diminish the fact that each program should define their own unique processes,
choose proper and meaningful activities, and select specific software factory tools suitable for
their software development needs. The continuous process improvement that results from the
DevSecOps continuous feedback loops and performance metrics aggregation should drive the
increase of automation across each of these activities.
Activities tables include the below columns:
2
UNCLASSIFIED
UNCLASSIFIED
Activities
Tool Table
Activities Phase Table Tool Dependencies
Reference
Reference
Threat modeling Plan Table 4 Threat modeling tool Table 3
Security code
Develop Table 6 IDE Table 5
development
Static code scan
Develop Table 6 IDE security plugins Table 5
before commit
Source code repository security
Code commit scan Develop Table 6 Table 5
plugin
Static application
Build Table 8 SAST tool Table 7
security test and scan
Dependency Dependency checking / BOM
Build Table 8 Table 7
vulnerability checking checking tool
Dynamic application DAST tool or
Test Table 10 Table 9
security test and scan IAST tool
Manual security
Varies tools and scripts (may
testing (such as Test Table 10 Table 9
include network security test tool)
penetration test)
Post-deployment
Deploy Table 14 Security compliance tool Table 13
security scan
Operational
Operate Table 16 Backup Table 15
dashboard
System Security Information Security Continuous
Monitor Table 18 Table 17
monitoring Monitoring (ISCM)
3
UNCLASSIFIED
UNCLASSIFIED
4
UNCLASSIFIED
UNCLASSIFIED
5
UNCLASSIFIED
UNCLASSIFIED
6
UNCLASSIFIED
UNCLASSIFIED
7
UNCLASSIFIED
UNCLASSIFIED
Software requirement Gather the requirements - Stakeholder inputs or Requirements Documents Requirements tool;
analysis from all stakeholders feedback; -Feature requirements Team collaboration
- Operation monitoring -Performance requirements system;
feedback; -Privacy requirements Issue tracking system
- Test feedback. -Security requirements
System design Design the system based the Requirements database or System Design Documents: Team collaboration
requirements documents -System architecture system;
-Functional design Issue tracking system
-Data flow diagrams Software system
-Test plan design tools
8
UNCLASSIFIED
UNCLASSIFIED
Risk management Risk assessment - System architecture; Risk management plan Team collaboration
- Supply chain information; system;
- Security risks.
Threat modeling Identify potential threats, System design Potential threats and mitigation Threat modeling tool
weaknesses and plan
vulnerabilities. Define the
mitigation plan
Database design Data modeling; database System requirement; Database design document Data modeling tool;
selection; System design Team collaboration
Database deployment system
topology
Design review Review and approve plans Plans and design Review comments; Team collaboration
and documents documents; Action items system
Documentation version Track design changes Plans and design Version controlled documents Team collaboration
control documents; system
9
UNCLASSIFIED
UNCLASSIFIED
10
UNCLASSIFIED
UNCLASSIFIED
11
UNCLASSIFIED
UNCLASSIFIED
12
UNCLASSIFIED
UNCLASSIFIED
13
UNCLASSIFIED
UNCLASSIFIED
14
UNCLASSIFIED
UNCLASSIFIED
15
UNCLASSIFIED
UNCLASSIFIED
Tool
Activities Description Inputs Outputs
Dependencies
Build Compile and link Source code; -Binary artifacts Build tool;
dependencies -Build Report Lint tool;
Artifact repository
Static application Perform SAST to the software Source code; known Static code scan SAST tool
security test and scan system vulnerabilities and report and
weaknesses recommended
mitigation.
Dependency Identify vulnerabilities in the Dependency list or BOM Vulnerability report Dependency checking / BOM
vulnerability checking open source dependent list checking tool
components
Release packaging Package binary artifacts, VM Binary artifacts; Released package Release packaging tool
images, infrastructure Scripts; with checksum and
configuration scripts, proper test Documentation; digital signature
scripts, documentation, Release notes
checksum, digital signatures,
and release notes as a
package.
Store artifacts Store artifacts to the artifact Binary artifacts; Versioned controlled Artifact Repository
repository Database artifacts; artifacts
Scripts;
Documentation;
Build configuration Track build results, SAST and Build results; Version controlled Team collaboration system;
control and audit dependency checking report; SAST report; build report; Issue tracking system;
Generate action items; Dependency checking Action items; CI/CD orchestrator
Make go/no-go decision to the report Go/no-go decision
next phase
16
UNCLASSIFIED
UNCLASSIFIED
Test audit, test deployment, and configuration audit happen at all stages.
17
UNCLASSIFIED
UNCLASSIFIED
18
UNCLASSIFIED
UNCLASSIFIED
19
UNCLASSIFIED
UNCLASSIFIED
Tool
Activities Description Inputs Outputs
Dependencies
Unit test Assist unit test script development and Unit test script, individual Test report to Test tool suite, Test
unit test execution. It is typically software unit under test (a determine whether coverage tool
language specific. function, method or an the individual software
interface), test input data, unit performs as
and expected output data designed.
Dynamic application Perform DAST or IAST testing to the Running application and Vulnerability, static DAST tool or
security test and scan software system underlying OS; fuzz inputs code weakness IAST tool
and/or dynamic code
weakness report and
recommended
mitigation
Integration test Develops the integration test scripts Integration test scripts, the Test report about Test tool suite
and execute the scripts to test several software units under test, whether the
software units as a group with the test input data, and integrated units
interaction between the units as the expected output data performed as
focus. designed.
System test System test uses a set of tools to test System test scripts, the Test result about if the Test tool suite
the complete software system and its software system and system performs as
interaction with users or other external external dependencies, designed.
systems. Includes interoperability test, test input data and
which demonstrates the system's expected output data
capability to exchange mission critical
information and services with other
systems.
Manual security test Such as penetration test, which uses a Running application, Vulnerability report Varies tools and
set of tools and procedures to evaluate underlying OS, and and recommended scripts (may include
the security of the system by injecting hosting environment mitigation network security test
authorized simulated cyber-attacks to tool)
the system.
20
UNCLASSIFIED
UNCLASSIFIED
Tool
Activities Description Inputs Outputs
Dependencies
Performance test Ensure applications will perform well Test case, test data, and Performance metrics Test tool suite, Test
under the expected workload. The test the software system data generator
focus is on application response time,
reliability, resource usage and
scalability.
Regression test A type of software testing to confirm Functional and non- Test report Test tool suite
that a recent program or code change functional regression test
has not adversely affected existing cases; the software
features. system
Acceptance test Conduct operational readiness test of The tested system Test report Test tool suite, Non-
the system. It generally includes: Supporting system security compliance
Accessibility and usability test Test data scan
failover and recovery test
performance, stress and volume test
security and penetration test
interoperability test
compatibility test
supportability and maintainability
Compliance scan Compliance audit Artifacts; Compliance reports Non-security
Software instances; compliance scan;
System components Software license
compliance checker;
Security compliance
tool
Test audit Test audit keeps who performs what Test activity and test Test audit log Test management
test at what time and test results in results tool
records
Test deployment Deploy application and set up testing Artifacts (application The environment Configuration
environment using Infrastructure as artifacts, test code) ready to run tests automation tool;
Code Infrastructure as Code IaC
Database functional Perform unit test and functional test to Test data; Test results Database test tools
test database to verify the data definition, Test scenarios
triggers, constrains are implemented as
expected
Database non- Conduct performance test, load test, Test data; Test results Database test tools
functional test and stress test; Test scenarios
Conduct failover test
21
UNCLASSIFIED
UNCLASSIFIED
Tool
Activities Description Inputs Outputs
Dependencies
Database security test Perform security scan; Test data; Test results Vulnerability findings;
Security test Test scenarios Recommended
mitigation actions
Test configuration Track test and security scan results; Test results; Version controlled test Team collaboration
audit Security scan and results; system;
compliance scan report Action items Issue tracking system;
CI/CD orchestrator
Test configuration Generate action items; Version controlled test Go/no-go decision Team collaboration
control Make go/no-go decision to the next results system;
phase. Issue tracking system;
(There may be several iterations for CI/CD orchestrator
several tests across stages)
Development Tests Independent Government test and System under test, test Test reports and Specific test
and Operational Tests evaluation at the system level using plans, test procedures evaluation management and
mission threads execution tools
22
UNCLASSIFIED
UNCLASSIFIED
23
UNCLASSIFIED
UNCLASSIFIED
24
UNCLASSIFIED
UNCLASSIFIED
Tool
Activities Description Inputs Outputs
Dependency
Release go / no-go This is part of configuration audit; Design go / no-go CI/CD
decision Decision on whether to release artifacts to the artifact documentation; decision; Orchestrator
repository for the production environment. Version controlled Artifacts are
artifacts; Version tagged with
controlled test release tag if go
reports; decision is made
Security test and
scan reports
Deliver released Push released artifacts to the artifact repository Release package New release in the Artifacts
artifacts artifact repository repository
Artifacts replication Replicate newly release artifacts to all regional artifact Artifacts Artifacts in all Artifacts
repositories regional artifact repositories
repositories (release,
regional)
Ops Team Acceptance Testing on the delivered artifacts to ensure that they meet Release package Accepted release
operational requirements package
Configuration Accepted Release Configuration
Integration Testing Package Results
Development Test and Known CVEs, Recommendations
Operational Test privacy
requirements,
security
requirements, and
potential threats
Parallel government Feature Recommendations
testing requirements and
performance
requirements
Delivery Results Configuration Production Push
Review results and Go/No-Go
Recommendations Decision
25
UNCLASSIFIED
UNCLASSIFIED
26
UNCLASSIFIED
UNCLASSIFIED
27
UNCLASSIFIED
UNCLASSIFIED
28
UNCLASSIFIED
UNCLASSIFIED
29
UNCLASSIFIED
UNCLASSIFIED
Tool
Activities Description Inputs Outputs
Dependency
Backup Data backup; Access to backup system Backup data or image Backup management;
System backup Database automation tool
Scale Scale manages Real-time demand and VM Optimized resource VM management
VMs/containers as a group. performance measures allocation capability on the hosting
The number of VMs in the Scale policy (demand or Key environment;
group can be dynamically Performance Indicator
changed based on the (KPI)threshold; minimum,
demand and policy. desired, and maximum
number of VMs/containers)
Load balancing Load balancing equalizes the Load balance policy Balanced resource VM management
resource utilization Real time traffic load and utilization capability on the hosting
VM/container performance environment;
measures
Feedback, including The Second Way: Feedback Technical feedback as to “is Updated requirements / Various planning tools
Operational Test and the system built right” and backlog
Evaluation (if/as operational feedback as to
needed) “was the right system built”
30
UNCLASSIFIED
UNCLASSIFIED
1NIST, NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information
Systems and Organizations, 2011.
31
UNCLASSIFIED
UNCLASSIFIED
32
UNCLASSIFIED
UNCLASSIFIED
33
UNCLASSIFIED
UNCLASSIFIED
34
UNCLASSIFIED
UNCLASSIFIED
35
UNCLASSIFIED
UNCLASSIFIED
• Configuration Identification: Identify the configuration items. This can be done manually
or with assistance from a discovery tool. The configuration items include infrastructure
components, COTS or open source software components used in the system,
documented software design, features, software code or scripts, artifacts, etc.
• Configuration Control: Control the changes of the configuration items. Each configuration
item has its own attributes, such as model number, version, configuration setup, license,
etc. The CMDB, source code repository, and artifact repository are tools to track and
control the changes. The source code repository is used primarily during development.
The other two are used in both development and operations.
• Configuration Verification and Audit: Verify and audit that the configuration items meet
the documented requirements and design. Configuration verification and audit are
control gates along a pipeline to control the go/no-go decision to the next phase.
These configuration management activities are represented in Table 19: Configuration
Management Activities Summary and Cross-Reference.
36
UNCLASSIFIED
UNCLASSIFIED
37
UNCLASSIFIED