Text

Development, Security, and Operations (DevSecOps) Application Lifecycle Management (ALM) Tools Usage Policy for Agency Software Development

The NRC has completed the implementation of various ALM tools w ithin the DevSecOps pipeline. The Office of the Chief Information Officer (OCIO) e nsures that the usage of the agencys approved ALM tools and processes are instituted with a policy that provides consistent usage and standards for the Continuous Integration (CI) and Con tinuous Delivery (CD) throughout agencys system/application lifecycle. NRC DevSecOp s pipeline also includes system and application development, testing, production, and mo nitoring phases, and is designed to support and further develop the agencys adoption o f agile-based software development practices. The paragraphs below provide a high-leve l description of policy, concepts, processes, requirements, and tools surrounding NRCs ALM capabilities and DevSecOps methodologies.

There are two methods for developing software at the NRC:

1. Developing an application off-site on vendor provided infras tructure, or

2. Developing an application on-site in the Enterprise Developm ent and Test Environment (EDTE).

Either scenario requires applications source code to be maintained in a repository in the agencys Source Control Management (SCM) solution and tool. Al so, there must be a defined compile/build process for each software component in the SCM re pository and CI tool. This practice:

- Ensures that the software components source code is continuou sly validated in the respective project repositories.

- Facilitates and ensures traceability to determine what approve d software component source code is running in the Production Operating Environment (POE).

- Identifies enhancements in development or bugs to be fixed.

- Supports and promotes the adoption of agile-based software dev elopment concepts as well as the agencys DevSecOps methodology.

- Ensures source code vulnerability analysis has been completed at specified intervals.

Once the application development team onboards their compile/bu ild processes into the agencys SCM tool, the NRCs ALM team will orchestrate the spec ific automated deployment processes required by each application in order to deploy requi red artifacts across the pre-production and production environments using the current approv ed CD tool.

Additionally, NRC requires developer s to utilize approved security and functional testing tools early and throughout the development process to assist in minim izing security vulnerabilities, thereby avoiding delays at the end of the development process. The use of these tools also orchestrates functional and performance testing for all applica tions across NRCs enterprise.

System/Application Deployments:

To deploy the application artifacts from the compile/build onto any NRC production system, the following requirements and artifacts are necessary:

1. A clean security code analysis report, and static/dynamic ap plication security scan or test result.

2. A set of release notes providing all relevant information re garding enhancements and bugs being deployed.

3. A test and rollback plan.

The artifacts are required as part of any change request submis sion to the Change Control Board (CCB) so the CCB members can make educated decisions on a pprovals of the changes to be deployed into the production environment.

NRC DevSecOps Tools:

The following are brief descriptions of the type of functions s upported by various industry leading tools the agency has adopted to support the ALM process. They will help ensure the delivery of quality work products and services in support of NR C mission requirements for application software development:

Change Management

The agency has deployed an official tool used for issue trackin g and overall project management functions. The tool dashboard act as the users cent ral dashboard for tracking all activities in their project. Each team has an initial choice of using three standard workflows (Simple, Standard and Complex) that can be customized for speci fic needs or business processes. There is traceability to source control and softwar e builds to identify what code changes were made for each issue, bug, or improvement. All app lication technical documentation must be stored in the agencys approved applicati on technical documentation repository.

Collaboration

The agency provides a tool for ALM workspaces where project tea ms share knowledge and collaborate on projects. It allows project teams to create, cap ture, and collaborate on any project or idea and provides visibility into institutional knowledge an d access to the information needed.

SCM

The agency provides an official source code repository tool. A ll production source code must be actively updated in these repositories as software is being dev eloped and released to production. The SCM system is Git-based, the most widely used standard for source control management. It also provides a Git client that allows users to push and clone source control repositories to developers workstations. Additionally, the to ol provides issue, commit, and build traceability to the other agency ALM tools.

Build Management/CI

The agency provides an official build management/CI tool used t o orchestrate software builds and releases across the agencys environment lifecycle. The to ol organizes the development teams source code builds into plans and orchestrates source co de builds, automated testing, and deployments from a single console.

Automated Deployment/CD

The agency provides an official automated deployment/CD tool th at orchestrates the deployment of software release artifacts across the agencys en vironment lifecycle. The software release lifecycle is dev (EDTE), test, User Acceptance Testing (UAT)/Pre-production (pre-prod), then production (prod). Each application is broken up into components and delivered incrementally through the lifecycle.

Automated Testing

The agency deployed automated testing tools used to orchestrate functional and performance testing for all applications across the agency. A browser auto mation tool is provided that allows the user to record specific functional tests for web applicatio ns. A desktop tool is provided that can be configured to test web applications for performance base d on usage. A studio desktop application tool is also provided that can test desktop, web, a nd mobile applications. These tools integrate with build management/CI tools to allow for tra ceability across the entire suite of agency ALM tools.

Automated Provisioning and Configuration Management

The agency provides an automated provisioning and configuration management tool for cloud governance. The tool is used to implement Infrastructure as Co de & Compliance as Code to standardize the application server configuration across all env ironments. It also orchestrates middleware installations and configuration upon instance creati on in a cloud-based environment.

Dynamic Web Application Security Testing

The agency provides an automated, yet fully configurable, dynam ic application security testing tool that enables users to scan websites, web applications, and web services, to identify security vulnerabilities and application flaws. The tool can scan all t ypes of web applications, regardless of the platform or the language with which they are built.