Utilizing the DoD Enterprise DevSecOps reference design as our guide, Stratus has created a culture and practice that aims at unifying software development, security and operations. Subsequently, the main characteristic of our approach is to automate, monitor, and apply security at all phases of the software lifecycle: plan, develop, build, test, release, deliver, deploy, operate, and monitor.
We have shifted testing and security earlier and throughout the automated unit, functional, integration, and security testing. This results in a reduced mean-time to production, increased deployment frequency, fully automated risk characterization, monitoring, and mitigation across the application lifecycle and ultimately software updates and patching at "the speed of operations".
Leveraging a set of hardened DevSecOps tools and deployment templates our personnel select the appropriate template for the program application capability to be developed. These templates are specialized around a specific programming language or around different types of capabilities such as web application, transactional, big data, or artificial intelligence (AI) capabilities.
Upon selection of the appropriate template and toolset, our personnel instantiate a DevSecOps software factory and the associated pipelines that enable Continuous Integration and Continuous Delivery (CI/CD) of the mission application.
At Stratus, we operate under the auspice of zero trust and least privilege to ensure that only the appropriate information and access is available to those who have been authorized.
As emerging threats and CVEs are discovered and announced, it is critical to understand the real and potential impact new vulnerabilities have through service exposure in the environment. This triaging of threats allows for prioritization of the most critical vulnerabilities to facilitate rapid rollouts of fixes or mitigations.