ASTQ Summit is live Nov 4! Hear industry leaders share how they're delivering continuous quality. Register Now »

X
BLOG

Iron Bank Your DevSecOps for Continuous Software Assurance

Iron Bank Your DevSecOps for Continuous Software Assurance Reading Time: 3 minutes

DevSecOps has gained considerable momentum as a de facto process for formalizing and integrating security testing as part of continuous integration and continuous deployment/delivery (CI/CD) process. By integrating security into a CI/CD process, organizations can automate security testing that triggers on each developer commit, avoiding delays as a gated process or tacking it on at the end.

CI/CD is the heartbeat in modern software development and organizations realize the need to instantiate a CI/CD pipeline to automate and streamline their software delivery process.

DoD Modernizing Software Development

The Department of Defense (DoD) realizes the shift in modern software development and is undergoing digital transformation to increase mission agility in supporting warfighters and field operations. Delivering software capabilities every three to ten years makes it impossible to keep up with the pace of technology. As a result, DoD has launched an Enterprise DevSecOps initiative to modernize and transform its approach to software delivery.

Launching Enterprise DevSecOps Initiative

This initiative is comprised of several components designed to enhance software security, improve infrastructure capabilities, streamline IT processes, and modernize compliance processes to enable DoD-wide continuous Authority to Operate.

As part of DoD’s Enterprise DevSecOps initiative, a central repository of authorized, hardened, and accredited containers of best-of-breed software development tools and capabilities were created. This central repository, known as Iron Bank, is designed to lower the bar in fielding DevSecOps solutions across DoD software programs.

Given the recent and increasing threats to compromise CI/CD toolchains and DevSecOps pipelines as seen with the SolarWinds breach, DoD is looking to leverage Iron Bank to accelerate the adoption of DevSecOps to secure the software delivery process for all DoD software programs.

The Iron Bank repository will host both free and open source (FOSS) and commercial off-the-shelf (COTS) software development tools. Containers in Iron Bank will be hardened based on the agency’s container hardening guide to allow DoD-wide reciprocity across classifications.

Parasoft SAST in Iron Bank

DoD software programs can power their CI/CD pipeline and toolchains with Parasoft C/C++test, the most complete static application security testing (SAST) solution for C and C++, that leverage comprehensive analysis techniques (pattern-based analysis, data flow analysis, and abstract interpretation) to expose critical vulnerabilities that often lead to cyberattacks.

It’s currently hosted on Iron Bank’s GitHub as a dockerfile and is intended to be used as a base image for C/C++ compiler toolchains. Both the standard and professional versions are available to help DoD software programs formalize SAST and unit testing capabilities as part of their software testing. Parasoft recognizes that the ability to develop, deploy, and continuously improve software is essential to national defense.

Screen shot of Parasoft C/C++test Professional Iron Bank repository.
Parasoft Iron Bank Repository

Parasoft C/C++ test is ideal for embedded software development and can help enforce and validate security and quality compliance standards, such as Common Weakness Enumeration (CWE), CERT Secure Coding standards, MISRA and AUTOSAR to name a few, as well as compliance validation for DISA STIG and OWASP.

A Growing Embedded Market

Recent studies suggest that the military (national defense) embedded systems market size is projected to grow from 1.4 billion in 2020 to 2.1 billion by 2025 at a CAGR of 8.3% from 2020 to 2025.

Parasoft realizes this growing demand and has committed to investing significant resources to ensure our C/CC++test SAST solution can be containerized to meet DoD hardening and security standards. This provides a unique opportunity for Parasoft to work with DoD software programs in meeting their mission objectives of digital transformation and modernizing software development practices to deliver assured software security at speed.

Iron Bank Your DevSecOps

Containerizing Parasoft SAST solution provides the following benefits to DoD software programs.

  • Automates security testing in CI/CD pipeline for code changes submitted by developers to keep pace with software delivery cadence.
  • Provides the ability to integrate security and compliance into DevOps tools and workflows to enforce security and compliance standards to help inform risk management decisions.
  • Helps improve collaboration between developers and security teams with remediation workflow analysis, detailed reporting of findings, code coverage details, and reporting analytics to pinpoint what matters the most.
  • Supports Continuous Authority to Operate (cATO) activities by providing real time visibility into risks and metrics identified through security testing. This can be used to extend reciprocity across DoD software programs to accelerate and inform cATO activities.
  • Provides in-depth analysis feedback that integrates into developers’ workflow that guides developers in remediating vulnerabilities and improving coding practices.

These benefits are essential for helping DoD meet its mission needs and realize the limitless possibilities in modern software development. Formalizing software security testing early with a shift-left mindset is non-negotiable for critical systems and must build on continuous software assurance principles. Do it early and do it often.

Written by

Kevin E. Greene

Kevin, Director of Security Solutions at Parasoft, has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices.

Get the latest software testing news and resources delivered to your inbox.