How to use a trusted software supply chain to adopt DevSecOps

Deploy at the speed of operations

Mission and user needs change frequently—and sometimes suddenly. Deploying new software at the “speed of operations” requires trust that the software is compliant, high-quality, more secure by default, and observable.

Practices like test driven development (TDD) and continuous integration/continuous deployment (CI/CD) promote a DevSecOps culture and build trust. But introducing these practices is one thing and enforcing them is another. Imagine that a development team leader implements an end-of-day process for team members to check-in code, test, send the test report to management, and deploy code to a shared environment if the test succeeds. What if a team member checks in and deploys code, skipping the steps in between? Even when teams have the best intentions, making sure they do the right things is difficult without development guardrails.

A trusted software supply chain (TSSC) provides those guardrails by accelerating and enforcing the right behaviors (see sidebar).

The value of a trusted software supply chain

Software teams, business leaders, and users can trust that software produced by a TSSC meets the agency’s standards for:

  • Security. Applications do not act maliciously and have defenses to protect them from malicious actors.
  • Compliance. Applications adhere to required controls.
  • Privacy. Applications protect sensitive information that should not be shared.
  • Transparency. Applications produce metadata—for example, about health and security posture—so that software behavior is observable and verifiable.   

Trust that software complies with your agency’s security, compliance, privacy, and transparency standards can also accelerate issuance of authority to operate (ATO) by discouraging behaviors that can slow the process. 

Elements of the trusted software supply chain

Powered by Red Hat® OpenShift® Container Platform, a TSSC brings together trusted third-party tools and prescriptive workflows for best practices such as TDD and CI/CD. The TSSC enforces best practices—for example, by not allowing code into production before it has been validated with static code analysis and security scanning tools. It also makes the right action easy—for example, by requiring developers to pull components (containers, libraries, binaries) from a trusted code repository. By enforcing best practices with opinionated gates and other controls, a TSSC provides a high degree of confidence in code deployments. This helps operations teams adopt efficiency-boosting SRE practices. 

Using OpenShift Container Platform as the underpinning, we build the TSSC with the tools and libraries needed for your requirements, adapting it as agency requirements evolve.

image container Figure 1. Red Hat trusted software supply chain