DoD Enterprise DevSecOps Reference Design from the DoD CIO – A Summary Content referenced from: https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference %20Design%20v1.0_Public%20Release aims at unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle: DevSecOps, testing and security are shifted to the left through automated unit, functional, integration, and security testing - this is a key DevSecOps differentiator since security and functional capabilities

and technologically advanced. That is the force for the future.” - Secretary Panetta, Defense Security Review, 5 Jan 12iii Foreword Department of Defense (DoD) program managers and executives have Criticality Program supports a critical mission in which defects may result in loss of life or high security risks. Industry has relevant domain experience and Agile development expertise. Developer processes, and culture often run counter to those in the long-established defense acquisition enterprise. The Agile model represents a change in the way DoD conducts business, and programs must rethink

Operations to improve outcomes 2. Ch. 9 – Create the Foundations of Our Deployment Pipeline a. Enterprise Data Warehouse program by Em Campbell-Pretty - $200M, All streams of work were significantly behind automate tests to validate the “-ilities” that are important (availability, capacity, security, etc.) ii. Incorporate security hardening testing and evaluation m. PULL OUR ANDON CORD WHEN THE DEPLOYMENT PIPELINE rarely works at scale 10X or 100X d. USE THE STRANGLER APPLICATION PATTERN TO SAFELY EVOLVE OUR ENTERPRISE ARCHITECTURE i. Coined by Martin Fowler in 2004 ii. Strangler Application 1. Put existing functionality

month, you can find this on the Agile4Defense GitHub page at: https://git.io/JeaOu Enterprise Architecture Enterprise Architecture, the domain of the IT bureaucrats, is the place we must look for the solution overrated. A Better Way – Treat IT as an Enterprise Asset (EA): When we add all of our current IT capabilities together, we arrive at an asset that enables the enterprise to earn future revenues and reduce they have produced. As a result, the code can be developed in a user-centric way and match the enterprise’s needs precisely. Risk is low, because the team is constantly adjusting.  Option 2: Compare

Time in Part 2 Enterprise Architecture: The job of IT leaders is not to execute projects on behalf of the business; it is to steward the asset that is the total of all of the enterprise’s IT capabilities—an robust feedback cycles and flexible decision-making processes, by creating options and grooming enterprise capabilities so that they will be responsive to change, and by demonstrating the value of information Assets: senior IT leadership has the responsibility for stewarding three critical assets: the Enterprise Architecture asset, the IT people asset, and the data asset. These three assets represent the

intangible asset, which I will call – despite some disconcerting connotations of the term – the Enterprise Architecture. The asset view of IT will substitute for the outdated project view in my vision cannot be done in an Agile way without the strangler pattern.Coming up in Part Two Enterprise Architecture: Enterprise Architecture, the domain of the IT bureaucrats, is the place we must look for the hope. And that’s what this book is meant to be, really. About the Author Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the

5. Fatal – forces a termination iv. Examples of potentially significant events (Gartner’s GTP Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access feature as a hypothesis and use real users to prove/disprove the hypothesis 1. Barry O’Reilly, Lean Enterprise describes as: We Believe that Will Result in . We

Requirements for Teams Programs and the Enterprise (2011) and Scaling Software Agility: Best Practices for Large Enterprieses (2007) Implementing agile practices at enterprise scale Synchronizes alignment, collaboration epics  architectural epics  kanban epic system – limit WIP  program portfolio management, enterprise architect  value streams  investment themes - provide operating budgets for release trains

these reviews should focus on the relatively small scope of a release and how it aligns to the enterprise architecture. Similar technical reviews can be decomposed to the release level.  DO continuous

[ 默认⼯作在tcp 22端⼝, 弱⼝令, 远程执⾏, 后⻔植⼊ ] ORACLE [ 默认⼯作在tcp 1521端⼝, 弱⼝令, 敏感账号密码泄露, 提权, 远程执⾏, 后⻔植⼊ ] Mysql [ 默认⼯作在tcp 3306端⼝, 弱⼝令, 敏感账号密码泄露, 提权(只适⽤于部分⽼系统) ] REDIS [ 默认⼯作在tcp 6379端⼝, 弱⼝令, 未授权访问, 写⽂件(webshell CVE-2019-13272 利⽤各类第三⽅服务 / 软件⼯具提权 Mssql [重点] Oracle [重点] Mysql 各类第三⽅软件dll劫持 [重点] suid权限 计划任务 各种错误服务配置利⽤ 0x06 内⽹安全 [