Application Software Development

Taking secure systems to the next level

Axiologic Solutions has extended the standard DevOps software development lifecycle to securely develop all types of software (business applications, analytics, automation, tools, intelligent systems) in compliance with the RMF – thereby creating the Axiologic Solutions DevSecOps approach to application development.

Axiologic Solutions has overlaid security-specific best practices (e.g., ICD 503, RMF, systems engineering, NISTIR 8176, OWASP, SEI Architecture) on top of the traditional DevOps pipeline, creating a “secured shift left” software development lifecycle. No longer do we do security after the software is written or in a completely separate parallel process (a la RMF); security is explicitly performed in various DevSecOps steps, and it is treated as a critical success factor. It is not optional or secondary to anything else. The goal is to not only produce software faster, but to produce high quality software that is also secured. It is all about balancing speed, quality, and security.

There are a few areas that are critical to DevSecOps that are not typically done by software developers that we emphasize with mature approaches:

  • Threat modeling – an aspect of context analysis
  • Vulnerability assessment – evaluating any remaining vulnerabilities in the software after its built
  • Architecture selection – identifying the best architecture style to select for a particular threat model, such as cloud computing, zero trust architectures and micro-services
  • Use of cyber range – particularly T&E/penetration testing exercises
  • Software architecture derivation – that focus on secure architectures, of which there are many

We also expand the “as code” concepts for security, including “policy as code” and “compliance as code.”  In “policy as code,” security policies are implemented in software using flexible mechanisms, such as configuration files and rules. This is a core feature of Zero Trust Architecture and Policy Enforcement Point.  In “compliance as code,” security compliance is included in the software and can be verified and enforced using automation, instead of the traditional manual techniques.