SATURN 2018

DevOps has become a standard option for entities seeking to streamline and increase comprehensive participation by all stakeholders in their secure development lifecycle (SDLC). In most cases in industry, academia, and government, applying DevOps is a straightforward process. There is a subset of entities in these three sectors where applying Secure DevOps is challenging. These are entities that are highly regulated (HRE) as mandated by policies for various reasons (most often for general security reasons and the protection of intellectual property). This presentation describes what was learned applying DevOps in these environments.

The SDLC of a highly regulated entity can still benefit from implementing DevOps as long as it does not break any policy. An HRE is typically characterized by the following: air-gapped computer systems, isolated working groups, strong physical security, segregation of duties, an inability to speak openly on certain topics, strong scrutinizing to enter certain areas, inability to take certain artifacts off the premises, and required risk management framework integration into application development process. In general, these environments promote isolation and gaps between persons and projects—in direct contrast to DevOps, where the main goal is to establish open communication between all members and stakeholders of a project, including SOC staff.