Since releasing the DevSecOps Reference Architecture last year, I've received a ton of feedback from the community. I took the feedback and spent some time updating the architecture to roll in some suggestions. I'm happy to say I finished a new version of the reference architecture, and it's now available for download here.
Evolution of Ideas
Before discussing changes in the architecture, I need to point out that this diagram isn't a prescription for every organization on what they need to do to succeed in the adoption of DevSecOps practices. It should be considered a possibility diagram showing what security controls can we put in a development pipeline, and where they should ideally sit to enable flow.
No matter what kind of reference architecture you look at when planning your pipelines, you'll never find one that matches your business or technical requirements exactly. This is because your products are your products, your developers are your developers, and your business requirements are your business requirements.
Since it was first released, there have been various changes to the reference architecture. In addition to suggesting new open source tools and other third-party applications that can be used in the DevSecOps tool chain, there are three major changes in this version.
Don't Stop Learning
The first change is the addition of a continuous education track. Continuous education is pivotal in the success of any team adopting DevSecOps practices. It's essential to provide people with instructor-led training, computer-based training, reference architectures, and other learning material to continue to innovate and on a day-to-day basis. This new track spans the entire length of the pipeline, all the way from an idea and into production (and beyond).
I Forgot My Phone
I forgot mobile development tracks. Dammit. Coming from a person who started his DevSecOps journey to implement secure pipelines for mobile development - well, this is inexcusable. The mobile development track splits in the delivery phase, details where Dynamic Analysis can be applied, and how mobile applications can be automatically deployed to vendor stores such as Google Play, and the Apple AppStore. Security testing left of delivery is fairly identical to any other applications flowing through the pipeline using tooling that supports mobile technologies and languages.
You're Out of Order
Finally, there were many places where controls were out of place (like the firewalls), and where steps may have seemed out of place. I've corrected many of these areas thanks to the feedback of not just Developer Advocates in the industry, but also the DevOps and DevSecOps communities.
Check It Out
Head over here to get a copy of the newest DevSecOps Reference Architecture. Take it for a test drive using Draw.io, or look it over in PDF or PNG format. Most importantly, let me know your feedback. Continuous improvement is an essential part of community sharing.
Tags
Code 3x Faster with Less False Positives
Build, test, and launch secure applications without rework. Explore how the Sonatype platform can enhance productivity and security.