A “hardened” version of CloudBees’ Jenkins continuous integration (CI) platform has met the requirements of the Air Force’s Certificate to Field (CtF), allowing the software to be used in security-sensitive U.S. Defense Department (DoD) projects. Organizations with critical security needs may also consider using this version of the software as well.
The U.S. Air Force’s Platform One program manages the certification program.
Formerly known as CloudBees Core, the CloudBees CI’s hardened Docker container image is stored in the Department of Defense Centralized Artifact Repository (DCAR). Development teams within the DoD or outside civilian contractors with clearance can access and the hardened Docker container image out of DCAR. Understandably, the Docker container image associated libraries or components are continually scanned and monitored for security vulnerabilities. For example, if a team uses a library to execute http communication between a CloudBees CI master and agent, the functionality within CloudBees CI ensures secure ports and protocols are used at both ends, CloudBees said.
“As to whether the secure Jenkins will automatically result in more secure code, you’d hope so in that it should audit the code against the standards being applied, Clive Longbottom, an analyst for Longbottom and Associates, said. “However, I wouldn’t depend on it myself — I would still want to ensure that all developers in such an environment understand military security as a concept and as a practical environment.”
The DoD has highly specific security requirements that are also “not necessarily the same as a standard organization would need or want,” Longbottom said. “As such, if the DoD secure version is more expensive than the more ‘basic’ versions, I’d go basic,” Longbottom said. “Only those organizations where their needs are the same as a military environment, such as oil and gas exploration or pharmaceutical development, will really need the capabilities.”
CloudBees’s CI platform that meets the DoD container specifications is also part of the DoD’s mission to boost the U.S. military and government capacities to improve its software development capabilities, as well as support the DoD DevSecOps processes, Nicolas Chaillan, Air Force chief software officer and co-lead for the DoD Enterprise DevSecOps Initiative, said.
In a recent podcast hosted by Brian Dawson, Chaillan said a core part of the DoD’s DevSecOps mission is to — reflecting a prevalent goal in the private sector — remove structural silos from DevOps pipelines.
“I think the reason why we’ve been quite successful in the adoption of DevSecOps is really building this centralized team and making this a centralized enterprise service. I think people that don’t do that and let each team do whatever they need is just slowing them down,” Chaillan said. “I think you need to be able to bring that kind of enterprise service concept for DevSecOps, while not having a one-size-fits-all, so providing options, not too many, not too few…that’s difficult to understand.”
CloudBees is a sponsor of The New Stack.
Feature image by Pixabay.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: firstname.lastname@example.org.