Guide to achieve DevSecOps Maturity Model

Successful DevSecOps implementation need maturity assessment, reference models (practices, processes and tools) and implementation guidance.

Various toolsets are available to suit different implementation scenarios. Mixed approach is also possible.

  • Maturity assessment indicating as-is state, gap and readiness
    • enables enterprise to understand pre-requisites
    • Enables targeted efforts towards SMART goals maximizing ROI with realistic timelines
  • Reference model to enable DevSecOps establishment
    • proven models with best practices
    • options for better efficiency or cost
    • appreciate variations across eco-systems with different needs
  • Implement guidance across all aspects viz. people, process, tools
    • implementation using variation of toolchains
    • optimization of process via monitoring and customizations
    • upgrades, replacement of tools and defining of roles and boundaries

Recommended approach for DevSecOps to bring execution speed

Agility to meet the rapidly changing business needs due to technology evolution, consumer behavior and peer competitiveness.

  • Planning

threat modeling and analysis

  •  

 

  • Design

resilient microservices, secure API gateways, IAM

  • Development

SAST, DAST & IAST (interactive application security testing) along with code reviews & sonar analysis

  • Testing

pen testing, image testing for vulnerability, data encryption

  • Deployment

containerize, configuration validation, feature switches, traffic shaping, rollback etc.

  • Ops

logging, monitoring, intrusion, DDoS, RCA & FMEA.

DevSecOps Toolchain – AWS native tools

  • Jira and Confluence: Although it is not a part of DevSecOps toolchain but plays an important part in establishing the necessary agile process implementation.
  • Code Commit: AWS provided fully managed source code repository for holding source code and configuration for collaboration and version control. Alternative to Git.
  • Code Build & Pipeline: AWS provided fully managed CI tool providing build services to create artifacts by maven build and test. It also ensures quality gates by pointing to SonarQube instance. Alternative to Jenkins.
  • Code Deploy & CloudFormation: AWS provided fully managed deployment service for code as well as infrastructure. This is especially true for Blue/green deployment with minimum downtime & rollback in place. Alternative to Jenkins & Ansible.
  • ECS with Fargate: AWS provided managed `Fargate` container service called `ECS` deploying artifacts to Non-prod as well as prod env in Blue/Green topology.
  • Cloud Watch and SNS are monitoring and notification mechanism to the automated process.
  • Jfrog Artifactory would version the artifacts whereas ECR would house the images of containers.
  • Code Quality by means of established quality gates are ensured by SonarQube.

AWS services are preferred to individual self managed alternatives as they can scale in an enterprise eco-system and is patched and upgraded with less hassle.