DevSecOps Platform-Independent Model: Requirements and Capabilities

Just as products evolve and adapt over time in order to continuously provide value to their users in a secure and cost-effective way, so too must the DevSecOps pipeline. The DevSecOps pipeline evolution is generally driven by changes to organizational business cases, stakeholder requirements, incremental process improvements, and risk mitigations. Given the socio-technical nature of a DevSecOps pipeline, an organization must be mindful in how it instantiates and evolves its DevSecOps pipeline in order to improve the pipelines ability to effectively envelop participants, processes, and technologies in a secure way, while minimize any negative side effects. The DevSecOps platform-independent model (PIM),outlines the activities necessary to consciously and predictably evolve the pipeline, while providing a formal approach and methodology to building a pipeline tailored to an organization's specific requirements. The use of a DevSecOps platform-specific model (PSM) allows organizations to perform trade-off analyses among alternatives prior to changing the current pipeline instantiation, thus minimizing negative disruptions to the organizations ability to predictably deliver and maintain its products. It allows the organization to reason through the impact of change and to identify where the change should occur in order to provide the most value. To support the analysis and decision-making process, measures must be defined and corresponding data collected in order to provide insight into the decision-making challenges associated with incorporating new capabilities and enhancements into a DevSecOps pipeline.