DevSecOps Platform Independent Model (PIM)

Created May 2022

Organizations often struggle in applying DevSecOps practices and principles, particularly in heavily regulated and cybersecurity-constrained environments, because they lack a consistent basis for managing software-intensive development, cybersecurity, and operations in a high-speed lifecycle. These organizations need an authoritative reference in order to fully design and execute an integrated DevSecOps strategy in which all stakeholder needs are addressed. The SEI developed the DevSecOps Platform Independent Model (PIM) to enable organizations to implement DevSecOps in a secure, safe, and sustainable way in order to fully reap the benefits of flexibility and speed available from implementing DevSecOps principles, practices, and tools.

Unlock the Potential of DevSecOps in Regulated and Constrained Environments

DevSecOps is not simply a technology, a pipeline, or a system. It is an entire socio-technical environment that encompasses the people in certain roles, the processes that they are fulfilling, and the technology used to provide a capability that results in a relevant product or service being provided to meet a need. Because of this, there is no one-size-fits-all one-and-done pipeline. Each DevSecOps pipeline must be tailored to fulfill the needs of a particular program and must evolve as the needs of the organization change.

While there are many theories and tools for DevSecOps, there is no practical framework for its implementation and evaluation. Filling this gap is especially critical for major Department of Defense programs because they rely on the DevSecOps pipeline to repeatedly perform key assurance activities to address the scale and complexity of their software systems. While large organizations have successfully implemented some aspects of DevSecOps on smaller initiatives, they can struggle to implement these same techniques on large-scale projects.

The DevSecOps Platform Independent Model was developed to outline the activities necessary to consciously and predictably evolve the pipeline, while providing a formal approach and methodology to building a secure pipeline tailored to an organization’s specific requirements. The model is especially useful to government agencies and heavily regulated or constrained segments of industry, such as banking and healthcare, where implementing DevSecOps at scale can be challenging.

References

• Modeling DevSecOPs to Reduce the Time to Deploy and increase Resiliency Joe Yankle, Aaron Reffett, Natasha Shevchenko
• Using Model Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure – Tim Chick, Scott Pavetti, Natasha Shevchenko
• Modeling DevSecOps to Protect the Pipeline Tim Chick, Joe Yankle

Scale and Evolve DevSecOps Throughout the Lifecycle

The DevSecOps PIM includes ten capability areas covering every stage of the DevSecOps lifecycle. The team mapped requirements to capabilities and defined four capability levels to qualitatively evaluate DevSecOps capabilities from planning to software assurance. In addition to capabilities, the model defines the roles and responsibilities for different positions within the organization with goals and measurements to fully encompass the socio-technical aspects of the pipeline.

The model also maps out process flows required in building a secure and resilient DevSecOps pipeline, outlining the different data elements that impact the pipeline, building in security, and applying a measurement framework to allow model users to quantify the health of their DevSecOps pipeline through the development and operational lifecycles—all while reducing time to deployment.

The DevSecOps PIM provides

• consistent guidance and modeling capability that ensure all proper layers and development concerns relevant to the organization’s, project’s, and team’s needs are captured
• the basis for creating a DevSecOps platform-specific model (PSM) that can be incorporated into the product’s model-based engineering approach as the DevSecOps master model is included in the product’s model. This allows proper modeling of DevSecOps design trades within a project’s Analysis of Alternatives (AoA) processes, resulting in less costly and more secure products.
• the basis for metrics and documentation of trade-offs to be captured and analyzed through the model-based engineering approach. The model provides dynamic matrices of if those points were addressed, how they were addressed, and how well the corresponding (to the points) module is covered.
• the basis for performing risk modeling against decisions and DevSecOps model-based engineering to ensure security controls and processes are properly selected and deployed

The DevSecOps PIM enables organizations, projects, teams, and acquirers to

• specify the DevSecOps requirements to the lead system integrators tasked with developing a platform-specific solution that includes the designed system and continuous integration/continuous deployment (CI/CD) pipeline
• assess and analyze alternative pipeline functionality and feature changes as the system evolves
• apply DevSecOps methods to complex products that do not follow well-established software architectural patterns used in industry
• provide a basis for threat and attack surface analysis to build a cyber assurance case to demonstrate that the product and DevSecOps pipeline are sufficiently free from vulnerabilities and that they function only as intended

May 01, 2022

The DevSecOps PIM enables organizations to implement DevSecOps in a secure, safe, and sustainable way.

Modeling DevSecOps to Protect the Pipeline

June 13, 2022 •Blog Post

This blog post presents a DevSecOps Platform-Independent Model that uses model based system engineering constructs to formalize the practices of DevSecOps pipelines and organize guidance.