You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per clause 6.1/G1, agencies should consider adopting DevSecOps to:
Perform frequent changes (such as quarterly) to the system and regular releases to meet user's needs.
Deliver the system's features, bug fixes or enhancements faster through CI/CD.
Improve quality and security of the system through "shift-left" practices and automated testing.
Remove silos and improve the collaboration between the development and operations teams.
DevSecOps may not be relevant for
Applications that have been rolled out and is in maintenance mode with minimal change
Commercially Off the Shelf (COTS) or Software as A Service (SaaS) tools without any coding
Preparing for adoption
Agencies planning to adopt DevSecOps can look at the 3P – Practice, People, Platform – model shown below to achieve success.
Platform
Agencies should consider using the central Whole-of-Government (WOG) CI/CD toolchain in Singapore Government Tech Stack (SGTS) such as SHIP-HATS as DevSecOps policy has been co-developed with the central tech stack. If an agency is planning to set up their own platform, they might want to look at the pricing analysis that the SHIP-HATS team has prepared for comparison.
Practice
This playbook will be outlining the necessary and relevant DevSecOps practices and it will also highlight the clauses that agency can fulfil.
People
People are an important asset, and agency should ensure that the team is equipped with relevant skillsets in terms of automations, system and application security knowledge and an agile mindset. This is not just for practitioners; it extends to Agency leaders and business users so they can get the best out of it.
The table below defines some key roles and responsibilities for the team to consider. Do note that the list is not exhaustive. The development team can also double hat to perform multiple roles, especially for a small development team. For example, the same person can play either:
QA and Automation engineer roles; or
System and Application security engineer roles
However, agency needs to ensure there is no conflict of interest, that is the developer who wrote the code can't assign themselves as the reviewer.
Role
Responsibility
Release Manager
Defines security gate requirements and ensures these requirements have been met before any release.
Plans and manages release activities and release cycles for the system to handle risks and to pre-empt any issues that may impact release scope, schedule and quality.
Coordinates release content and manages effort for the service request backlog, pending service requests, third-party applications, or operating system updates, deployment plans and checklists execution.
Manages release repositories and key information such as build and release procedures, dependencies and notification list to coordinate work across teams.
Makes continuous improvements in the release process and works with the development team to understand impacts of code branching and merging to ensure alignment across development team.
QA Engineer
Creates, executes and maintains automated test strategies and test cases/scripts.
Ensures all environments required for testing are standardised and automated where possible.
Performs periodic review of the automated test script/test cases results and provides assessment for the quality of all builds produced by the CI/CD pipeline.
Continuously improving testing processes, test efficiency and techniques around test automation and integration with CI/CD pipeline.
Automation Engineer
Develops scripts and sets up necessary automation tools used to build, integrate, and deploy software releases to various platforms, including development and production environments.
Automates the configuration management of development, quality assurance, and production workloads as well as the automation of CI of the codebase and the CD of releases.
Designs, builds, optimises and monitors the automation systems solutions to identify system bottlenecks, production issues to maximise service availability.
Builds automation framework for deployment, management, monitoring of applications, as well as maintains the configuration and deployment tools to auto-scale the application platform.
System Security Engineer
Plans, implements, monitors and manages the overall system security architecture.
Performs threat and risk assessments and applies secure configuration profiles to their systems.
Performs security checks such as infra level VA and troubleshooting.
Employs best practices when implementing security controls within an information system.
Application Security Engineer
Plans, implements and manages the overall application security architecture.
Performs application threat modelling on their applications
Confirms all security testing tools must be updated to its latest security checklists before scanning code packages, application and infrastructure components
Implements and executes automated SCA, SAST and DAST for applications
Performs triage on application security findings
Performs penetration testing on the applications
Outsourcing Agile Projects
When outsourcing an agile project, do use the Agile Tender template to ensure the requirements and deliverables are written to match agile development. If you are choosing SHIP-HATS as your platform, here is an AOR template that you can include for budget approval.
