Insights

DevSecOps Case Study

Client: Federal Agency

 

The Challenge

The federal agency’s information technology leadership committed to Agile and DevSecOps software practices to address shortfalls with traditional waterfall and Software Development Lifecycles. To achieve the desired benefits, the following is needed: new business processes, software architectures, and tools. Unique challenges come up when adopting these practices for federal enterprise systems, which Makpar is attune to navigating.

The Solution

Makpar helped transition the development and security teams to work together under an agile methodology. We achieved this by implementing security at the code level to establish an ongoing methodology for Security as Code.

Security as Code

Security as Code is about building security into DevOps tools and practices, making it an essential part of the tool chains and workflows. You do this by mapping out how changes to code and infrastructure are made and finding places to add security checks and tests and gates without introducing unnecessary costs or delays.

Security as Code uses Continuous Delivery as the control backbone and the automation engine for security and compliance.

 

Continuous Delivery

This is influencing a practice of Defensive coding, which encourages developers to look closely at error and exception handling and other defensive coding practices, including careful parameter validation. This will go a long way to improving the security of most code as well as improving the runtime reliability of the system.

With training, developers can learn to look out for bad practices like hardcoding credentials or attempts at creating custom crypto. With more training, they will be able to catch more vulnerabilities, early on in the process.

In some cases (for example, session management, secrets handling, or crypto), you might need to bring in a security specialist to examine the code. Developers can be encouraged to ask for security code reviews. You can also identify high-risk code through simple static code scanning, looking for specific strings such as credentials and dangerous functions like crypto functions and crypto primitives.

Streamlining the Process

Makpar ensured that the federal agency was set up for success by streamlining the security auditing processes. A threat model on the Continuous Delivery pipeline looks for weaknesses in the setup and controls, and gaps in auditing or logging. How do we periodically review the logs to ensure that they are complete and that you can trace a change through from start to finish? Ensure that the logs are immutable, meaning that they cannot be erased or forged. We also introduced automation tools under a CI/CD process.

 

The Tools Used and Why:

 

Jenkins.

Jenkins is an open source automation tool written in Java used for the purpose of Continuous Integration. Through this tool, our developers are able to build and test software projects, while continuously integrating changes, to ensure users are able to obtain a fresh build.

IBM CLM.

The Collaborative Lifecycle Management (CLM) is an integrated suite of tools that provide automation for every part of the software development lifecycle from requirements to testing. As experts in this tool, we ensure that automating the software lifecycle is quick, efficient, and as cost effective as possible for the client.

IBM RQM.

Rational Quality Manager (RQM) is a test management tool used to store test cases, record test execution and results, map testing onto requirements and tracks defects. Through these actions, RQM integrates with functional automation and early collaboration between all stakeholders for better results overall for the client. This minimizes the need for manual documentation, bringing efficiency up to speed. 

RTC.

Rational Team Concert (RTC) is a multi-platform team collaboration tool used by developers to increase efficacy in agile Application Lifestyle Management (ALM). RTC includes integrated planning, task tracking, team/process awareness, and project health tracking with a uniform interface across platforms. As a newer tool, RTC is designed to promote team productivity and effectively allows us to transition to agile development, while still supporting traditional practices.

 

Why agile?

Agile and DevSecOps go hand-in-hand. Agile keeps us on our toes; Agile is exactly what is needed to keep up with a continuously evolving online ecosystem.