DoD Enterprise DevSecOps Reference Design from the DoD CIO – A Summary Content referenced from: https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference %20Design%20v1.0_Public%20Release security sidecar container CSIAC Webinars - DoD Enterprise DevSecOps Initiative – Nicolas Chaillan presenting https://www.csiac.org/podcast/dod-enterprise-devsecops-initiative/ DoD Centralized Container

Operations to improve outcomes 2. Ch. 9 – Create the Foundations of Our Deployment Pipeline a. Enterprise Data Warehouse program by Em Campbell-Pretty - $200M, All streams of work were significantly behind Rollback by swinging traffic back 2. Database changes a. Create two DB – put one in read only mode, backup & restore to new environment, swing traffic b. Decouple DB changes from application changes i rarely works at scale 10X or 100X d. USE THE STRANGLER APPLICATION PATTERN TO SAFELY EVOLVE OUR ENTERPRISE ARCHITECTURE i. Coined by Martin Fowler in 2004 ii. Strangler Application 1. Put existing functionality

availability 8. Startups & shutdowns 9. Faults & errors 10. Circuit breaker trips 11. Delays 12. Backup success/failure d. USE TELEMETRY TO GUIDE PROBLEM-SOLVING i. Don’t practice “Mean Time until Declared feature as a hypothesis and use real users to prove/disprove the hypothesis 1. Barry O’Reilly, Lean Enterprise describes as: We Believe that Will Result in . We

processes, and culture often run counter to those in the long-established defense acquisition enterprise. The Agile model represents a change in the way DoD conducts business, and programs must rethink participate in continuous testing activities, and provides feedback on developed capabilities. Enterprise Architect Creates architectures and designs in an iterative manner to ensure that designs evolve metrics) and deliverables (e.g., code)?  Is there a clear owner of the program (or broader enterprise) architecture?  Is there a clear, early commitment from user representatives and the broader

month, you can find this on the Agile4Defense GitHub page at: https://git.io/JeaOu Enterprise Architecture Enterprise Architecture, the domain of the IT bureaucrats, is the place we must look for the solution overrated. A Better Way – Treat IT as an Enterprise Asset (EA): When we add all of our current IT capabilities together, we arrive at an asset that enables the enterprise to earn future revenues and reduce they have produced. As a result, the code can be developed in a user-centric way and match the enterprise’s needs precisely. Risk is low, because the team is constantly adjusting.  Option 2: Compare

Time in Part 2 Enterprise Architecture: The job of IT leaders is not to execute projects on behalf of the business; it is to steward the asset that is the total of all of the enterprise’s IT capabilities—an robust feedback cycles and flexible decision-making processes, by creating options and grooming enterprise capabilities so that they will be responsive to change, and by demonstrating the value of information Assets: senior IT leadership has the responsibility for stewarding three critical assets: the Enterprise Architecture asset, the IT people asset, and the data asset. These three assets represent the

intangible asset, which I will call – despite some disconcerting connotations of the term – the Enterprise Architecture. The asset view of IT will substitute for the outdated project view in my vision cannot be done in an Agile way without the strangler pattern.Coming up in Part Two Enterprise Architecture: Enterprise Architecture, the domain of the IT bureaucrats, is the place we must look for the hope. And that’s what this book is meant to be, really. About the Author Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the

Requirements for Teams Programs and the Enterprise (2011) and Scaling Software Agility: Best Practices for Large Enterprieses (2007) Implementing agile practices at enterprise scale Synchronizes alignment, collaboration epics  architectural epics  kanban epic system – limit WIP  program portfolio management, enterprise architect  value streams  investment themes - provide operating budgets for release trains

these reviews should focus on the relatively small scope of a release and how it aligns to the enterprise architecture. Similar technical reviews can be decomposed to the release level.  DO continuous

[ 默认⼯作在tcp 22端⼝, 弱⼝令, 远程执⾏, 后⻔植⼊ ] ORACLE [ 默认⼯作在tcp 1521端⼝, 弱⼝令, 敏感账号密码泄露, 提权, 远程执⾏, 后⻔植⼊ ] Mysql [ 默认⼯作在tcp 3306端⼝, 弱⼝令, 敏感账号密码泄露, 提权(只适⽤于部分⽼系统) ] REDIS [ 默认⼯作在tcp 6379端⼝, 弱⼝令, 未授权访问, 写⽂件(webshell CVE-2019-13272 利⽤各类第三⽅服务 / 软件⼯具提权 Mssql [重点] Oracle [重点] Mysql 各类第三⽅软件dll劫持 [重点] suid权限 计划任务 各种错误服务配置利⽤ 0x06 内⽹安全 [