Focused Development & Streamlined Deployment via a Software Factory
KEY SCOPE AREAS
DevSecOps Platform capabilities and processes
for building software - including cloud services
• Provide continuous software development
• Enable the Coast Guard to rapidly deliver
software capabilities utilizing industry best
practices
• Streamline the identification and patching of the
most relevant common vulnerabilities and
exposures (CVEs) and threats
• Hand over the solution’s self-sustaining
technical capabilities and proficiencies to the
Government
KEY STATS
• Provides an enterprise-wide consolidated
DevSecOps platform for all Coast Guard systems,
supporting up to 200 concurrent users
• Permits the creation of reusable agency-wide
DevSecOps CI/CD pipelines across all projects
• Built-in flexibility to support dozens of best-of-breed
industry tools and the ability to expand the toolset
with market growth
• Performs build-level artifact analysis to facilitate
rapid identification and correction of code issues
early in the development lifecycle
• Supported by multiple Standard Operating
Procedures (SOPs) and training videos, allowing
USCG to fully sustain factory operations and growth
The US Coast Guard’s (USCG’s) Command, Control, Communications, Computers, Cyber and Intelligence Service Center (C5ISC) contracted with Karthik Consulting (KC) to collaboratively develop, test, implement, and sustain a Software Factory (SF) solution. USCG dubbed their solution the High Efficiency Rapid Modernization Network (HERMN), which embodies methods for translating commercial practices and DoD requirements into repeatable self-sustaining processes for establishing, growing, operating, and adapting scalable, high-quality, and secure in-house agile software operations.
Using a COTS DevSecOps platform as the foundation, KC developed modular extensions to give USCG the ability to realize quality and productivity gains on an enterprise-wide scale. By extending a modern COTS platform, USCG realized the best of both worlds: the proven stability of a commercial product; and supplements to that platform which can be configured to meet USCG’s varying project-specific needs. Furthermore, KC worked extensively with tool vendors and cloud providers to create a containerized solution that USCG could host in their own cloud account. This afforded USCG all the benefits of a modern cloud platform, combined with the security of a self-contained and complete solution managed by USCG. KC also developed training materials to facilitate the full transition of Software Factory operations to USCG and other contractor staff.
The SF provides an extended DevSecOps platform which weaves continuous and configurable security throughout development and operations, ultimately generating and supporting containerized cloud applications.
Configurable Security Controls
- Via Configuration as Code (CaC), teams customize built-in CI/CD pipeline gates to meet their project’s specific needs
- With specific values prescribed by the team, gate thresholds become more restrictive as code is promoted through the platform (e.g., DEV to TEST)
- Upon gate failure, the build automatically stops & provides detailed reports of the failure, allowing the team to focus on the appropriate corrections
Application Onboarding
- Customers can leverage the SF for their entire portfolio
- Teams can reuse pipelines, tools, and gates among applications – or can configure new settings based on the application’s tech stack, Impact Level, or other profile characteristics
Continuous Scanning
- By creating and tracking each application’s Software Bill of Materials (SBOM), the SF facilitates continuous security - scanning for and proactively addressing new CVEs as they surface in industry
Staged Hardened Containers
- The solution provides a repository of hardened baselined images, thus minimizing the attack surface & increasing the velocity of delivery
- The SF creates hardened container images as output, which teams can subsequently install in their environment(s)
Policy as Code (PaC) / Infrastructure as Code (IaC)
- Pipelines automatically enforce machine-coded policies (YAML/JSON) to “shift left” and identify infrastructure & configuration issues early in the SDLC
- Policies are enforced at two levels: cloud infrastructure; and for Kubernetes workloads
- Users can configure the automated remediation of violations
Full Support for Operations
- Provides Continuous Monitoring of the SF’s pipelines and the applications deployed inside its boundary
- KC maintains a library of documents to permit organizations to operate their self-hosted SF
- Includes SOPs, training videos, and onboarding guides
Sample tools are noted. The SF’s flexible design is tool agnostic.
BETTER SECURITY
• Factory tools provide feedback to developers to correct the most important security threats in their code, thus turning data (generated from various scanners) into actionable information.
• Beyond improved security, customers realize cost and time savings since the SF focuses development efforts on the most important security issues.
• With drift detection tools and continuous scanning of deployed applications, the solution can proactively detect and remediate security issues in runtime environments.
TIME SAVINGS / IMPROVED CUSTOMER SATISFACTION
• This visibility gives Project Managers and executives insight into the quality of the organization’s IT portfolio as well as areas for improvement (training).
• Thus, the SF enables continuous quality improvement of the organization’s IT assets and staff.
• Importantly, with faster deployments of new secure versions of applications, organizations can better meet their mission.
COST SAVINGS
• In development (Dev) with reusable CI/CD pipelines & tools, configured/tailored to an application’s tech stack
• In security (Sec) with the build process automatically stopping on gate failure, preventing downstream issues
• In operations (Ops) with application upgrades and patches to address newly surfaced security concerns, application enhancements, and remediations for detected issues
With earlier detection and greater automation comes reduced labor costs, allowing customers to allocate budgets to other applications and enhancements, thus improving customer satisfaction
QUALITY IMPROVEMENTS
• A robust & reusable CI/CD toolset, coupled with powerful artifact analysis, facilitate improvements in application quality via developer-tailored feedback.
• By providing developers with a single pane of glass (dashboard) which ingests, processes, and displays the appropriate data from the CI/CD lifecycle and toolset, the SF identifies security issues much earlier in the SDLC – thereby helping developers address those issues more efficiently with higher quality, including design changes.
Take a look at what KC is doing to contribute to global cyber security, agile software development and cloud services.
ABOUT US
Our Cyber Security, Software Development and Program Management focus areas (and work methodology) ensure that we can deliver not just solutions, but architecture that scales and grows with the customer's needs over time. We are able to assist in projects ranging from short advisory engagements to assembling a full team to deliver a solution from concept through implementation and on-going management. KC has access to industry experts in various technologies and teaming partners to meet any of your IT challenges. The vision of KC is to bring the innovation, passion and agility of the commercial IT industry to meet the unique challenges of the federal government. We are a DOD Cleared Facility with a DCAA-approved accounting system.
Felix Martin, 571 435 7632 fmartin@karthikconsulting.com
CAGE: 56GH3
DUNS: 828199880 UEI: FGNNM7KNUPF6
PRIME CONTRACT VEHICLES:
GSA MAS
GSA OASIS Pool 1 and 3
NIH CIO-SP3 8(a) & SB
GSA STARS III 8(a)
Air Force SBEAS
Army RS3
Navy Seaport-NexGen
FAA eFAST
