The Department of Defense has issued guidance providing IT capability providers and consumers, product teams and authorizing officials with best practices to advance the adoption of DevSecOps and help build a community that could enable a warfighting force and establish resilience and security in DOD’s software delivery practices.
The document titled DoD Enterprise DevSecOps Fundamentals acknowledges the importance of software and seeks to promote the adoption of modern software practices across the department.
The guidance includes a definition of DevSecOps and a description of the methodology’s phases and lifecycle. It also covers assumptions related to the concepts of DevSecOps, offers in-depth information on the components of DevSecOps, provides guidance regarding a DevSecOps culture and metrics and outlines the next steps and identifies additional resources to support a DevSecOps journey.
The latest release came six months after the DOD Office of the Chief Information Officer issued the DevSecOps Continuous Authorization Implementation Guide.
Table of Contents
Software Factory
According to DOD, a software factory leverages automation and is a collection of people, processes and tools designed to enable teams to continuously deliver value by fielding software to meet the needs of a particular community of end users.
The document states that an ideal DevSecOps software factory performs several functions, including standardization, automation, continuous integration and deployment, security and compliance and continuous improvement.
What Is DevSecOps?
In the document, DOD defines DevSecOps as a combination of software engineering tools, practices and methodologies, unifying software development, security and operations and “recognizing that software is never done.”
The department said DevSecOps highlights collaboration across the three disciplines to support the delivery of secure software, emphasizes the automation of processes and builds on the tech trends of the past 20 years, including the shift from waterfall software development to Agile methodology, integration of security across the technology lifecycle and the move from data centers to the cloud.