Software factory

Source(s):

Software Supply Chain Imperatives¶

Evaluation of every software supply chain must consider a series of imperatives that span development, security, and operations – the pillars of DevSecOps. Regardless of the specific software factory reference design that is applied, there are a core set of imperatives that must always exist. These imperatives include:
• Use of agile frameworks and user-centered design practices.
• Baked-in security across the entirety of the software factory and throughout the software supply chain.
• Shifting cybersecurity left.
• Shifting both development tests and operational tests left.
• Reliance on IaC and CaC to avoid environment drifts between deployments.
• Use of a clearly identifiable CI/CD pipeline(s).
• Adoption of Zero Trust principles and a Zero Trust Architecture throughout, both north-south and east-west traffic.5
• Comprehension and transparency of lock-in decisions, with a preference for avoiding vendor lock-in.
• Comprehension and transparency of the cybersecurity stack, with a preference for decoupling it from the application workload.
• Centralized log aggregation and telemetry.
• Adoption of at least the DevOps Research and Assessment (DORA) performance metrics, defined in full in the section Measuring Success with Performance Metrics.

¶