and technologically advanced. That is the force for the future.” - Secretary Panetta, Defense Security Review, 5 Jan 12iii Foreword Department of Defense (DoD) program managers and executives have Criticality Program supports a critical mission in which defects may result in loss of life or high security risks. Industry has relevant domain experience and Agile development expertise. Developer contractor team of software developers, including software and security engineers, data specialists, testers, quality assurance, and configuration managers. Ideally these participants are co-located in

Containers 5. Automated tests 6. Project artifacts – documentation, procedures, etc. 7. Application configuration files 8. This also includes pre-production and build processes 9. Tools iv. 2014 State of DevOps eliminates “worked on my machine” 3. Package the application to enable repeatable installation and configuration into an environment 4. Environments can be more production-like in a consistent and repeatable automate tests to validate the “-ilities” that are important (availability, capacity, security, etc.) ii. Incorporate security hardening testing and evaluation m. PULL OUR ANDON CORD WHEN THE DEPLOYMENT PIPELINE

expected iv. Great Amazon Reboot of 2014 – 10% of Amazon EC2 servers had to reboot for Xen emergency security patch. At Netflix, zero downtime, no one actively working incidents. They were at a Hollywood party the entire organization 1. Configuration standards for libraries, infrastructure, and environments 2. Deployment tools 3. Testing standards and tools, including security 4. Deployment pipeline tools Technical Practices of Integrating Information Security, Change Management, and Compliance 1. Introduction a. Goal to simultaneously achieve Information Security goals and create high degree of assurance

possible. Control our destiny  Started to engineer solutions for issues related to product configuration and deployment  Built a strong relationship with development (built empathy)  Development Installations  Route Adds – requires heightened security access  Database Data Script Execution  Load Balancer Node Disablement  OS and Security Patching  Requesting access to technology specific

engineers to track what they need to track, at the drop of a hat, without requiring time-sucking configuration changes or complicated processes.” iv. 2015 State of DevOps Report – high performers had MTTR 5. Fatal – forces a termination iv. Examples of potentially significant events (Gartner’s GTP Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access

aims at unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle: DevSecOps, testing and security are shifted to the left through automated unit, functional, integration, and security testing - this is a key DevSecOps differentiator since security and functional capabilities continuous monitoring approach in parallel instead of waiting to apply each skill set sequentially.  Security risks of the underlying infrastructure must be measured and quantified, so that the total risks

Agile c. Myth—DevOps is incompatible with ITIL d. Myth—DevOps is Incompatible with Information Security and Compliance: e. Myth—DevOps Means Eliminating IT Operations, or “NoOps” f. Myth—DevOps is Just designed. b. automate as much of the quality checking typically performed by a QA or Information Security department as possible c. Gary Gruver observes, “It’s impossible for a developer to learn anything structures, but in developing capability and habits in its people.” f. TESTING, OPERATIONS, AND SECURITY AS EVERYONE’S JOB, EVERY DAY i. In high-performing organizations – shared common goal that is

Agile Principles 0 Nick Tuck XP Prctices 1 Shawn Stumme Continuous Delivery 4 Josh Wade Cyber Security through Agile 2 Nick Tuck Maximizing Retrospectives 2 Ray Page Open Agile Topics 0 Jason Beranek 3 Josh Sagucio Collaborative Work Environments 3 Nick Tuck Assuring Quality 3 Josh Wade Cyber Security through Agile 2 Nick Tuck Maximizing Retrospectives 2 Nick Wenner Clean Code - Book Overview

Tuck XP Prctices shawn stumme Continuous Delivery Josh Wade Cyber Security through Agile Mar 2014 Nick Tuck Maximizing Retrospectives Ray Page

need… • a Service Mesh, but to secure it I need… • an automated Certificate Authority, and for more security I need… • a Container scanning and monitoring service, and to monitor it more I need… • a Log Aggregation