DevSecOps

DevSecOps Principles

GSA IT recommends and strongly encourages applications within the Cloud Ecosystem follow the six key DevSecOps principles described below to enable consistency and appropriately scale within the Enterprise.

1. Define all Infrastructure as Code

• Cloud infrastructure must be defined as Infrastructure as Code (IaC)

• IaC must live in a version-controlled repository

• IaC should be developed modularly with sensitive configuration data being extracted to variables

• IaC components must be maintained and updated throughout its effective lifetime

2. All changes to production should be tested in lower level environment

• Production changes must be tested in a lower environment. If this is not feasible, changes must have a rollback plan

3. Version Controlled Assets

• Code, documentation and resulting binary assets must be version-controlled and appropriately signed or tagged to uniquely identify the asset

4. Configuration Data Storage

• Mutable configuration data must be stored and consumed programmatically using an appropriate software, service or technology

5. Implement Automated Configuration Management

• Product teams must implement Automated Configuration Management on deployed mutable instances (e.g. packages, daemons, agents, applications)

• Changes to running mutable instances must be performed through idempotent automation and not human intervention

• Automated Configuration Management components must be maintained in the version control system

• Automated Configuration Management must be incorporated into the FISMA System Continuity of Operations Plan

6. Implement DocOps

• Product documentation must be integrated into the version control system

• Product changes must provide updates to applicable documentation

• Documentation changes must be continuously released alongside product versions

Return to Standards Alignment