UNCLASSIFIED
68
UNCLASSIFIED
One popular open source product that implements FaaS for Kubernetes is Knative. Another open
source product is Kubeless. The DevSecOps Software Factories must offer Knative support.
They may also support Kubeless or another FaaS for Kubernetes.
6.4 Application Security Operations
This section focuses on the software application lifecycle in the production environment.
Continuous Deployment, Continuous Operation, and Continuous Monitoring are keys to
streamlined and secure operations.
6.4.1 Continuous Deployment
Continuous deployment is triggered by the successful delivery of released artifacts to the artifact
repository and may be subject to control with human intervention according to the nature of the
program application. The typical activities for continuous deployment include, but are not
limited to, deploying a new software release to the production environment, applying necessary
infrastructure and security configuration changes, running a smoke test to make sure essential
functionality is working, and performing security scans. Each activity is completed by specific
tools or configuration/orchestration scripts. The selection of tools and the
configuration/orchestration system depends on the application and the production platform. For
example, if the application is containerized and the production platform uses Kubernetes, the
orchestration is done by Kubernetes. In this case, the configuration scripts would be Kubernetes
Operators or Helm charts. On the other hand, if the application is VM based, the
configuration/orchestration tool could be Chef, Puppet or Ansible.
Continuous deployment interacts with other DevSecOps components, such as the artifact
repository for retrieving new releases, the log storage and retrieval service for logging
deployment events, and the issue tracking system for recording any deployment issues. The first-
time deployment may involve heavy infrastructure provisioning, dependency system
configuration (such as monitoring tools, logging tools, scanning tools, backup tools, etc.), and
external system connectivity (such as DoD common security services, etc.).
6.4.2 Continuous Operation
Continuous operation is an extension of continuous deployment. It is triggered by a successful
deployment to the production environment, so that it operates the latest stable software release.
The activities of continuous operation include, but are not limited to, system patching,
compliance scanning, data backup, system recovery if failure happens, and resource optimization
with load balancing and scaling. The selection of the tools that facilitate the activities are
application and environment dependent. The resource optimization heavily depends on the
underlying platform. A containerized application can rely on Kubernetes to automatically scale
containers across cluster nodes. On the other hand, a VM-based application with no containers
can rely on the underlying CSP’s scaling service.