requirements gathering for a successful rugged devops implementation - hasan yasar
TRANSCRIPT
![Page 1: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/1.jpg)
Requirements Gathering for a Successful Rugged DevOps Implementation
HasanYasar|TechnicalManager|SoftwareEngineeringInstitute- CMU
![Page 3: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/3.jpg)
Copyright2017CarnegieMellonUniversity
ThismaterialisbaseduponworkfundedandsupportedbytheDepartmentofDefenseunderContractNo.FA8721-05-C-0003withCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenter.
Anyopinions,findingsandconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheUnitedStatesDepartmentofDefense.
NOWARRANTY.THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN“AS-IS”BASIS.CARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL.CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.
[DistributionStatementA]Thismaterialhasbeenapprovedforpublicreleaseandunlimiteddistribution.PleaseseeCopyrightnoticefornon-USGovernmentuseanddistribution.
Thismaterialmaybereproducedinitsentirety,withoutmodification,andfreelydistributedinwrittenorelectronicformwithoutrequestingformalpermission.Permissionisrequiredforanyotheruse.RequestsforpermissionshouldbedirectedtotheSoftwareEngineeringInstituteatpermission@sei.cmu.edu .
CarnegieMellon® and CERT® areregisteredmarksofCarnegieMellonUniversity.
DM-0004478
![Page 4: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/4.jpg)
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
![Page 5: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/5.jpg)
Background
• TheSoftwareEngineeringInstitute(SEI)isaFederallyFundedResearchandDevelopmentCenter(FFRDC)
• Researchandpracticeinsoftwaredevelopment,acquisition,andmaintenancepractices
• AssistednumerousgovernmentorganizationsinmodernizingtheirsoftwaredevelopmentpracticesinthespiritofDevOpsprinciples.
• Applicationsecurityistheprinciplequalityattributeofthesoftwaretheyproduce.
![Page 6: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/6.jpg)
CommonquestionHowcanIimplementedRuggedDevOpsprocessandplatforminmyteam/directorate/project/organization/unit… ?
Howtoassessthecurrentstate?Wherearetheproductivitybottlenecks?Whomtotrainonwhat?Whatandhowtomeasure?Howtomonitor?
![Page 7: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/7.jpg)
TheRuggedManifestoIamruggedand,moreimportantly,mycodeisrugged.
Irecognizethatsoftware hasbecomeafoundationofourmodernworld.
Irecognizetheawesomeresponsibility thatcomeswiththisfoundationalrole.IrecognizethatmycodewillbeusedinwaysIcannotanticipate,inwaysitwasnotdesigned,andforlonger
thanitwaseverintended.
Irecognizethatmycodewillbeattackedbytalentedandpersistentadversaries whothreaten ourphysical,economicandnationalsecurity.
Irecognizethesethings– andIchoosetoberugged.
IamruggedbecauseIrefusetobeasourceofvulnerabilityorweakness.IamruggedbecauseIassuremycodewillsupportitsmission.
Iamruggedbecausemycodecanfacethesechallengesandpersistinspiteofthem.
Iamrugged,notbecauseitiseasy,butbecauseitisnecessary andIamupforthechallenge.
![Page 8: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/8.jpg)
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
![Page 9: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/9.jpg)
CommonPitfalls
HELP!
![Page 10: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/10.jpg)
Whatwentwrong?
• DevOpsis– AFAD– Onlyabouttooling– AProduct– OnlyaboutDevandOps– Sameforallorgs– Onlycontinuesintegration/deployment– Neworganizationalunit
![Page 11: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/11.jpg)
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandevaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
![Page 12: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/12.jpg)
CurrentStateAssessment
• InterviewwithfunctionalleadsfromkeyareasrelatedtoApplicationDevelopment.
• Reviewof:– Validationofstatements(e.g.,throughobservations
oftheworkenvironmentorshadowing)– Demonstrationsofanysoftwaretoolsusedfor
automationofsoftwaredevelopmentanddeployment
– Culturalperspectiverelatedto developmentevolutionandSecurityteam
– Legal,RiskManagementandallstakeholders
![Page 13: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/13.jpg)
AssessmentPlan
1. Agreeondefinitions(DevOps,DevSecOps)andprocess2. Identifystakeholders3. Performinterviewoneachteam4. Identifyandanalyzetechnicaltoolstack5. Collectkeymetricsandestablishmeasurement6. Identifygapareasanddeveloparoadmap7. Selectsuitableprojecttoimplement:Build,Learn,evaluate
![Page 14: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/14.jpg)
AssessmentProcess
• Schedulinganinterviewwithteams• AnonymousSurvey• Analyzeoutcomes• Providefeedbacktotheteams• Brief theexecutiveteam
![Page 15: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/15.jpg)
IdentifyStakeholders
![Page 16: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/16.jpg)
DevelopersDeployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
![Page 17: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/17.jpg)
ITOperations
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
![Page 18: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/18.jpg)
QualityAssurance
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
![Page 19: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/19.jpg)
BusinessAnalyst
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
![Page 20: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/20.jpg)
InformationSecurity
Deployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
FunctionalRequirements
Performance
Testing
UserInterface
TechnicalDocumentation
Updates
CodeReview
ReleaseReview
UserDocumentation
DataPrivacy
IntrusionDetection
UserRequirements
BusinessConstraints
LegalIssues
MarketNeeds
Budgets/Timelines
Monitoring
Incidentresponse
![Page 21: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/21.jpg)
Assessment– BusinessAnalyst/PM
• Requirementsdevelopment&management• Acquisition&contractingprocess• Riskmanagementprocess• Compliancesrequirements• ProjectPlanningandtracking
![Page 22: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/22.jpg)
Assessment– Developer
• Developmentmethodology– agile,waterfall,SAFe,EP,Lean,orcowboycoding
• Developmentenvironments• Taskassignment/management/completion• Collaborationwithother(internal/external)teams
![Page 23: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/23.jpg)
Assessment– QualityAssurance
• Softwaretestingmethodologies• Software{quality}assurance• Compliancesverification• Auditrequirements• Feedbacktodevteam
![Page 24: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/24.jpg)
Assessment– Deployment/Release
• Softwareconfigurationmanagement• Integrationprocess• Softwareverificationandvalidationprocess• Softwarereviewandauditprocess• Securing thedeploymentpipeline
![Page 25: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/25.jpg)
Assessment– ITOperations
• Softwareoperationalprocess• Teamengagement• Policyknowledgemanagement• Assetsmanagement• ITgovernance• Servicemanagement• Auditandmonitoring
![Page 26: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/26.jpg)
Assessment– InformationSecurity
• Management andauditingsupplychain• Securitycontrols• Securitypolices(compliancerequirements)• Applicationsecuritytesting• Productsecuritymanagement(PSIRT)• Securityawarenesstrainingandknowledgemanagement
![Page 27: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/27.jpg)
Assessment– TechnologyStack
• Developmentlanguageandtools• ITsolutionstack• Enterprisesupportservices• Legacysystems• Applicationdevelopmentsupporttools• Softwarereuseprocess• Accreditationandapprovalprocess
![Page 28: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/28.jpg)
IdentifyMetricsandMeasurement
• Softwaremetrics• Qualitymetrics• Checkpointdiagnostic
– Qualitativeprocessbaseline– Quantitativeperformancebaseline– Benchmarkperformancecomparison
• Defineend-goalasbeingRugged:Whatthatmeanstoallstakeholders
![Page 29: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/29.jpg)
Identify SuitableProject
• Select{neworexisting}projectaspilot– Moststakeholdersinvolvement– Minimizerisktobusiness– Abilitylearn/develop/implementsecurityintheprocess– Scalabletotheorganization
![Page 30: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/30.jpg)
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandEvaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
![Page 31: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/31.jpg)
Feedbacktotheteam
• Collaborateallteamleads• Shareidentifiedrequirements• Categorizeandprioritizethe
requirements• Collectivelydevelopan
implementationplan:People+Process+Platform
![Page 32: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/32.jpg)
People
• Heavycollaborationbetweenallstakeholders– SecureDesign/Architecturedecisions– SecureEnvironment/Networkconfiguration– SecureDeploymentplanning– SecureCodeReview
• Constantlyavailableopencommunicationchannels:– DevandOpSec togetherinallprojectdecisionmeeting– Chat/e-mail/Wikiservicesavailabletoallteam
members
![Page 33: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/33.jpg)
Process• Establishaprocess toenablepeople tosucceed
usingtheplatformtodevelopRuggedapplication
• Suchthat;• Constantcommunicationandvisibletoall• Ensuresthattasksaretestableand
repeatable• Freesuphumanexpertstodochallenging,
creativework• Allowstaskstobeperformedwithminimal
effortorcost• Createsconfidenceintasksuccess,afterpast
repetitions• Fasterdeployment,frequentqualityrelease
![Page 34: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/34.jpg)
Platform
• Wherepeople useprocess tobuildruggedsoftware
• Automatedenvironmentcreationandprovisioning
• Automatedinfrastructuretesting• ParitybetweenDevelopment,QA,Staging,
andProductionenvironments• Sharingandversioningofenvironmental
configurations• Collaborativeenvironmentbetweenall
stakeholders
![Page 35: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/35.jpg)
RuggedContinued…
• Culture– NOTatool,SDLC,ororgstructure
• Rugged!=Secure- secureisonlyaninstantintime
• Proactivesecurityisbetterthanreactive– Reactivewillfaileventually
![Page 36: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/36.jpg)
Culture
ProcessandPractices
SystemandArchitecture
Automationand
Measurement
RuggedDevOpsonSecurity Culture• Developer and OpSec
collaborate • Developers and OpSec
support releases beyond deployment
• Dev and OpSec have access to stakeholders who understand business and mission goals
Security Automation /Measurement• Automate repetitive and error-
prone tasks (e.g., build, testing, and deployment maintain consistent environments)
• Static and dynamic security analysis automation
• Performance dashboards
Security in Process and Practices• Secure Pipeline streamlining• Continuous-delivery practices (e.g.,
continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)
Secure System and Architecture• Architected to support test
automation and continuous-integration goals
• Applications that support changes without release (e.g., late binding)
• Scalable, secure, reliable, etc.
![Page 37: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/37.jpg)
TopicsBackgroundCommonPitfallsCurrentStateAssessmentRequirementsAnalysisandEvaluation
People,Process,PlatformAutomatedIntegratedDevelopmentPipeline
![Page 38: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/38.jpg)
ContinuousIntegration(CI)Model
![Page 39: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/39.jpg)
Integrationandcommunication,evenamongtools,isthekey!
![Page 40: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/40.jpg)
![Page 41: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/41.jpg)
Humanactions/inputstothesoftwaredevelopmentprocess
![Page 42: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/42.jpg)
Actionsperformedbyautonomoussystems
![Page 43: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/43.jpg)
TaketheDevSecOps Surveybit.ly/DevSecOps-2017
![Page 44: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/44.jpg)
Oursponsorsspeakyourlanguage…DevOps.
![Page 45: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/45.jpg)
MoreonSEIDevOpsBloghttps://insights.sei.cmu.edu/devops
![Page 46: Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan Yasar](https://reader031.vdocuments.mx/reader031/viewer/2022030207/58ac15fd1a28ab33178b667b/html5/thumbnails/46.jpg)
ThankYou!
HasanYasarTechnicalManager,[email protected]@securelifecycle
WebResources(CERT/SEI)
http://www.cert.org/
http://www.sei.cmu.edu/