DevSecOps
The Sedaro Platform's DevSecOps implementation enables one of the pillars of the Sedaro Platform: "Run anywhere, securely".
Introduction
Sedaro has the unique difficulty of needing to deliver, monitor, and secure software quickly, across any environment: Azure, AWS, GCP, on-prem, air-gapped networks, and edge compute. Traditional solutions to this problem lean on highly-centralized approaches which are counter to modern, lean software delivery and DevOps goals. In a centralized approach, cyber analysis (vulnerability scanning, static analysis, etc.) and hardening (security policies, etc.) are both straightforward. Some central automation aggregates all software, performs the relevant analyses and build procedures, and delivers built artifacts to a target environments. While net-simpler, this approach prohibits agile teams from shipping their own software directly. Patching bugs and delivering new features requires the centralized deployment authority to be in the loop, slowing down delivery cycles and, as a result, the pace of innovation.
Accreditation
The Sedaro Platform actively operates at IL4, IL5, and SECRET (with TS/SCI and SAP in progress). Sedaro's hardened implementation combines enterprise-grade security with state-of-the-art software operations technologies to deliver modern capabilities into the most demanding and highly-secure environments.
Sedaro streamlines the ATO/CTF process via industry-leader DevSecOps automation and clear and concise cyber artifact generation. The following cyber artifacts are available on request, for any given system build, and all documents are maintained in diff-able formats to facilitate efficient delta review:
- System Security Plan
- Container Profiles
- CVE summary
- Software Bill of Materials (SBOM)
- Ports, Protocols and Services Management (PPSM)
- POA&M inputs
- Application Security and Development (ASD) STIG compliance
- Network Architecture and Data Flow Diagrams
Design
Sedaro Platform DevSecOps enables highly-secure yet independent delivery of Workloads to any and all Sedaro environments. There are a few key concepts and/or design decisions which enable this:
Hierarchical Configuration
All Platform Workloads implement static yaml specification for how to obtain, host, and configure the workload's various components. Configuration can be defined for a specific environment or for all environments. The yaml specification implements a simple inheritance model such that multiple environments can inherit configuration from an all.yaml while still overriding anything they don't want to inherit. During Workload compilation, a compiled configuration is generated which acts as the single source of truth for all config for the destination environment. This compiled configuration is what all subsequent scanning, auditing, and document generation steps act on. It's also what Sedaro IaC uses to configure pod images/tags, networking constraints, ingress definitions, observability subsystem, etc.
Hierarchical Composition
Workload configuration, analysis, and deployment tooling can operate at the Workload and the Platform level. This allows for workload teams to deploy just their workload to a target environment or for a platform team to deploy all workloads, alongside the Platform IaC, to a target environment. The latter deployment type is called a "rollup" and behaves much like the centralized deployment strategy described above, which is the only option for certain flavors of Sedaro delivery (on-prem, air-gapped, customer-managed, etc.)
Sedaro's tooling implements Node package management principles to achieve deterministic IaC composability. A Workload implemented in Sedaro's DevSecOps framework is published to a private NPM registry as a standard Node module with all dependencies, such as Terraform providers and utility libraries. Each Workload release is semantically versioned such that Sedaro can set version constraints on it's own roll-up deployments.
Semantic Versioning
A Workload's version dictates how the Workload is used in rollup deployments as described above. It also dictates what tag is associated to its set of built artifacts (i.e. containers).
Secret Delivery
Sedaro's DevSecOps Framework supports the delivery of secrets to a Workload from various secret management services or an admin-local .env file. In either case, the system ensures that all required environment variables are available in the source location. The system also offers mocking secrets, making synthesis and testing easy and airgap-friendly.
Opinionated IaC Where It Counts
By implementing a Workload's IaC in Sedaro's DevSecOps Framework, runtime hardening is implemented out of the box. Factory capabilities ensure that cloud-specific and -agnostic hardening is applied to all workload components.
Cyber Analysis and Artifact Generation
Sedaro DevSecOps supports automated deep analysis and cyber artifact generation given a compiled configuration for a given target environment. Analyses include SBOM generation, CVE scanning, software license checks, and STIG compliance. Analysis is performed against all assembled artifacts and deterministic, version-control-friendly reports are generated for each container.