Due to the acquisition process, code cannot be released every sprint, but Agile dictates frequent release of working software. In order to facility this, delivery teams should maintain a pre-production environment that mirrors production and accommodates frequent releases. This allows early operational monitoring, red teaming activities, and identifies vulnerabilities prior to release. As mentioned above automation is integral to the success Agile development. Along with the automation of test cases, release management should also automate the deployment process to ensure a thorough and repeatable process. This automation is also important to the assurance of the system as automation limits the ability to compromise the system through the addition of vulnerabilities at the release stage. Projects can automate the configuration, code signing, unit testing, versioning, code analysis, and test deployment to ensure proper release to all environments. Release acceptance testing, taking place on pre-production, can also be automated based on test cases developed throughout the sprint. Acceptance test should include regression, performance, and integration testing to identify vulnerabilities. Deployment follows the software development cadence with working software being delivered at the completion of each sprint and releases to the production aligning with completion of functional capabilities. Once again, projects can use the IDE for configuration management of all defects and vulnerabilities to include software version and the environment where they were identified, with mitigation and fixes tracked and included in regression test cases.
Release of an acquisition system into the production environment requires that programs complete operational testing and obtain an authority to operate. This is a very detailed and, for Major Defense Acquisition Programs (MDAP), waterfall process. Many times it is this process that discovers a majority of vulnerabilities, when the costs of rework are expensive. The Agile approach outlined above discovers defects and vulnerabilities within development sprints, when the cost to mitigate or fix is comparably low. Once operational, projects should continue to monitor and maintain these systems using tools designed to run along with the application, operational monitoring, to identify any changes in system performance or runtime.
Benefits of Agile and Introduction to DevOps
Maintaining a high security posture is becoming increasingly difficult as the cyber security threats become more complex. Although the fundamental systems engineering process for developing secure software remains the same, new methodologies, tools, and technologies are always emerging to protect our systems. The Agile manifesto was written to place an emphasis on the importance of responding to change and through the implementation of Agile teams can not only streamline software assurance best practice, but can also adapt to changes when new vulnerabilities or assurance techniques are discovered. These are some of the key Agile processes that can be used to facilitate software assurance best practice:
Cyber security is a high priority for all programs in the DoD. Unfortunately it is not always funded and often times it is viewed as resource intensive for programs trying to implement it outside of the systems engineering process. Using an Agile methodology, the cadence of sprint development makes it possible to neatly align all elements of software assurance. Sprint planning requires review of design, architecture, and requirements. Development teams perform code reviews, develop unit test, and run all code through static analysis tools before delivery. Team testers ensure test plans are developed and acceptance criteria are met. All of this takes place in a two to four week sprint and ensures that software assurance activities are not burdensome due to the reduced scope. At the completion of a sprint, IV&V and release management teams operate on the same cadence once code is integrated. All of this culminates in a scheduled release of working and secure software that has been rigorously tested before moving to pre-production for user acceptance or the production environment.