CONTROLLED DATA
Leidos Proprietary - US Citizens ONLY
The information contained herein is proprietary to Leidos, Inc. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
________ Rick Goodwin, Secure DevOps Lead ____1-18-2020__________ Secure DevOps (SDO) is a set of processes, methodologies and tools that promote continuous feedback between Developers, Operations and Security teams. The Leidos SDO reference design is built around the concept of portability. Portability is achieved using automated provisioning of infrastructure services and monitoring capabilities that reduce cost, accelerate development, and protect our reputation. Portable SDO provides a modular approach for tailoring the deployment to meet customer driven requirements. Portability extends SDO to cloud, on-prem, and customer owned environments while maintaining the Leidos Way to optimizing the Development, Operations and Security pipelines with workflow and customizations focused on achieving the benefits of adopting SDO. Our asset library of (Infrastructure as Code) IaC for establishing SDO tools and pipelines comply with the NIST 800-171 cyber security requirements and FIPS 140-2 cryptographic requirements, thus supporting DFARS compliance (e.g., DFARS 252.204-7012). The SDO tools instantiated within Leidos as SDO Enterprise services and processes enable our development teams to come up to speed quickly in a collaborative environment that includes a Wiki, Code Repository, Ticketing system, Persistent Chat, and CI/CD pipelines out of the box. With the addition of security tools, development teams are able to meet secure coding and secure software build requirements in a traditional or an Agile Software Development Lifecycle (SDLC). Historically, software development approaches enacted security provisions towards the end of the SDLC. This approach has proven to be an error prone and an overall costly way to implement appropriate security provisions. Within Leidos, we have significantly changed our development culture and approach to introduce security provisions "earlier" in the SDLC (i.e., shifted left) when compared to more traditional ways. Additionally, every team member is accountable for security (as appropriate for individual roles). Our currently enacted approach includes: 1) new and improved security practices (see below) that are integral to our standard development processes (EngineeringEdge NextGen), 2) CI/CD pipelines that are established quickly and that include tools for performing automated security audits and testing throughout the entire SDLC, and 3) security-related personnel to participate in our daily SCRUM activities. Now our development personnel implement security provisions throughout the SDLC, thus minimizing vulnerabilities to satisfy the security requirements associated with our customer’s mission objectives. The result has been that the overall schedule is reduced (i.e., primarily enabled by rapid instantiation of CI/CD pipelines and automated tools that automatically perform security-related functions) and that we achieve increased software product quality, reliability and security as new software capabilities are continuously released into customer test and production environments. As illustrated in Figure 1, Leidos’ SDO reference design includes “best-in-class” security practices and tools in each phase of our DevOps processes that are embedded in our planning tools and CI/CD pipelines. The SDO reference design includes packaged tools for deployment into AWS cloud environments and includes versions to support Open Source and Enterprise tools. In both cases, our SDO reference design supports development to deployment in a continual feedback loop as shown in Figure 1. As a set of processes, SDO fits into any SDLC and is compliant with Leidos EngineeringEdge™ NextGen and SAFe™ processes and frameworks.SDO helps improve the security and compliance maturity levels of our pipelines, while increasing quality and productivity and shrinking time-to-delivery. Figure 1. The Leidos SDO Reference Design Provides Security Across Dev and Ops with Continuous Feedback Continuous processing is employed using CI/CD pipelines in our development environments and automated monitoring and patching in operational environments. As code moves from development to deployment, the emphasis moves from Securing to Defending software. Using monitoring and analytics, the continuous monitoring and analysis of our runtime software solutions results in feedback from operations that flows back to our development teams to harden the software using Leidos’ secure coding, analysis and testing practices. Upon successful testing, the hardened software is delivered to operations and continuously monitored. Tables 1 and 2 provide more information on our best-in-class practices for securing software as it is developed and for defending the code we deliver and deploy into operational environments. We execute Leidos’ cybersecurity best practices during execution of our Agile SDLC processes and we embed code quality scanning and security testing tools within our build and test pipelines so that cybersecurity practices are repeatable and are utilized consistently. We deploy our SDO pipelines to meet NIST and FIPS requirements and our pipelines include vulnerability scanning at many different levels consisting of source code analysis, artifact scanning, security testing and dynamic assessments. All build dependency artifacts, sourced from the internet, are scanned for vulnerabilities and managed (remediated and secured) within an artifact repository prior to integration into our software solutions using our build pipelines. Table 1 Leidos' Secure DevOps Cybersecurity "Best-in-Class" Practices for Securing Software Table 2 Leidos' SecDevOps Cybersecurity "Best-in-Class" Practices for Defending SoftwareSecure Development Environment Initial Operating Capability Concept of Operations
Approvals
Authority Date 
____________________ Revisions
Change Record Revision # Date Author Description of Change 1.0 January 18, 2020 Rick Goodwin Final 1.1 May 1, 2020 Dan Blazer Made miscellaneous editorial edits. 
Secure Best-in Class Security Practice Best-in-Class Practice Overview Best-in-Class Elements Threat Modeling Optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of threats to the system. Implement “Stride” Modeling (i.e., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege). Employ threat modeling tools. Consider the security impact of each design decision, and think like the attacker. Desired outcome: Choose the design decision that protects the confidentiality and integrity of your customer’s data. Secure Coding The practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. This can be done using Peer Review and Tools to assess source code quality, and security requirements. Develop software using coding standards, templates and reuse code shown to be resistant to vulnerabilities. Employ automated tools that reduce vulnerabilities (e.g., requirements to code generators, automatic test script generators). Perform quality audits of software to verify implementation of secure coding practices. Security as Code Security as Code follows the Infrastructure as Code model to manage servers through machine readable files at the security level. Enables higher security through controlled configuration, automation and testing. Security is part of quality and is tested just like functionality in the build pipeline(s). Automate security testing to provide confidence in the application’s security while maintaining speed of delivery. Perform quality audits of software to verify implementation of secure coding practices. Static Application Security Testing (SAST) Static Application Security Testing, a type of white-box testing allowing developers to find and isolate security defects in source code. Implement a type of security testing that relies on inspecting the source code of the application. Analyze code to pinpoint possible security flaws. Use tools to perform static code tests at source code, byte code and binary code levels. Employ peer review to enhance SAST activities. Dynamic Application Security Testing (DAST) Dynamic Application Security Testing, a type of black-box testing allowing developers to find and isolate security defects in running applications. Testing is done with tooling as part of behavioral testing. Penetration (Pen) Test Penetration Testing, a type of ethical hacking, tests an application to find security vulnerabilities that an attacker could exploit. Implement tests to evaluate the security of the system by injecting authorized simulated cyber-attacks to the system. Use automated test tools to assist in test scenario, test script, and test data development. We primarily automate our tests, but manual tests may also be used. Digital Signing Digitally sign software, modules, libraries to confirm the author and guarantee that code is not altered since it was signed. Release software packages with checksum and digital signature. Package binary artifacts, container or VM images, infrastructure configuration scripts, proper test scripts, documentation, checksum, digital signatures and release notes as an integrated package. Employ self-extracting software installer. Defend Best-in Class Security Practice Best-in-Class Practice Overview Best-in-Class Elements Security Analysis Automated and manual activities performed through introspection of logs and events. Inability to accurately analyze logs and events could lead to missed detection of security anomalies. Analyze the data that comes from all SDO Operations processes. Identify trends and/or anomalies associated with system vulnerabilities. Employ statistical techniques to aid issue identification. Security Monitoring 7/24 monitoring of all assets in the inventory including performance, software status, and security posture. Monitor security of all system components. Identify and vulnerabilities and/or issues. Use a cybersecurity service provider (CSSP) to provide additional services including Attack Sensing and Warning, Forensic Media Analysis, Assurance Vulnerability Management, Incident Reporting, Incident Handling Response, Information Operation Condition, Cyber Protection Condition, Malware Notification protection and Network Security Monitoring. Detect unauthorized personnel, connections, devices and software. Employ Kubernetes Sidecar Container Security Stack. Security Auditing Automated and manual activities to ensure that the system remains in compliance with all security requirements, such as NIST controls, FIPS, password management etc. Perform user access and data access audits. Detect anomalies from events correlation and record in issue tracking system. Alert and notify identified individuals if security issues are uncovered. Perform QA audits of operations processes. Security Patching Ensures that the system is always adopting the latest server or module updates as a result of CVEs or other security requirements. Implement practices to perform rapid software updates and patches. Address security vulnerabilities and code weaknesses as updates are performed. Implement database security scan and test tool. Achieve continuous operation. Security Scanning 7/24 reporting of the security posture of the entire system. Validation of items such as security certificates, software licensing, ports etc Perform periodic security scans of software to evaluate cybersecurity weaknesses and vulnerabilities during operation. Perform database security scans and look for items such as: weak password, known configuration risks and missing patches. Security Configuration Management of the security infrastructure using security as code methods to validate and manage security related artifacts and files. Implement appropriate configuration control processes when maintaining software packages. Maintain an appropriate security configuration system for software changes. Employ automated security scan on software. Secure Transfer Secures data by implementation of encryption in-flight and encryption at rest. Verify binary packages with digital signatures.
COMPANY CONFIDENTIAL - NOT FOR USE OUTSIDE OF LEIDOS
Add Comment