UNCLASSIFIED
iv
UNCLASSIFIED
Executive Summary
Legacy software acquisition and development practices in the DoD do not provide the agility to
deploy new software “at the speed of operations”. In addition, security is often an afterthought,
not built in from the beginning of the lifecycle of the application and underlying infrastructure.
DevSecOps is the industry best practice for rapid, secure software development.
DevSecOps is an organizational software engineering culture and practice that aims at unifying
software development (Dev), security (Sec) and operations (Ops). The main characteristic of
DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle:
plan, develop, build, test, release, deliver, deploy, operate, and monitor. In DevSecOps, testing
and security are shifted to the left through automated unit, functional, integration, and security
testing - this is a key DevSecOps differentiator since security and functional capabilities are
tested and built simultaneously.
The benefits of adopting DevSecOps include:
• Reduced mean-time to production: the average time it takes from when new software
features are required until they are running in production;
• Increased deployment frequency: how often a new release can be deployed into the
production environment;
• Fully automated risk characterization, monitoring, and mitigation across the application
lifecycle;
• Software updates and patching at "the speed of operations".
This DoD Enterprise DevSecOps Reference Design describes the DevSecOps lifecycle,
supporting pillars, and DevSecOps ecosystem; lists the tools and activities for DevSecOps
software factory and ecosystem; introduces the DoD enterprise DevSecOps container service that
provides hardened DevSecOps tools and deployment templates to the program application
DevSecOps teams to select; and showcases a sampling of software factory reference designs and
application security operations. This DoD Enterprise DevSecOps Reference Design provides
implementation and operational guidance to Information Technology (IT) capability providers,
IT capability consumers, application teams, and Authorizing Officials.
