Kicking Off Your DevSecOps Software Factory Part 1 (Activity 3.2.1)

You must ensure what you build is inherently secure. This brings us to a fundamental shift in software development: Zero Trust Activity 3.2.1: Build DevSecOps Software Factory Part 1.

This activity recognizes that security cannot be an afterthought; it must be embedded directly into the software development lifecycle. The DoD Enterprise takes the lead by providing best practices for modern DevSecOps processes and CI/CD (Continuous Integration/Continuous Delivery) pipelines. The core idea is to apply these concepts in a standardized technology stack across DoD Components, ensuring consistency and enabling the organization to meet future Application Security requirements from the earliest stages of development (requirements gathering) through design, development, testing, and deployment.

This activity is vital because it shifts security “left”, which means security considerations are addressed earlier in the development process. By integrating security controls and testing into automated pipelines, vulnerabilities are identified and remediated before applications ever reach production, significantly reducing the attack surface.

The outcomes for Activity 3.2.1 Part 1 highlight the foundational steps in this transformation:

  1. Developed security best practices for DevSecOps and CI/CD pipelines.
  2. Vulnerability management is integrated into CI/CD pipelines.

The ultimate end state emphasizes the systemic change: Implementing consistent and well-defined processes and controls for DevSecOps. This paves the way for building inherently more secure applications that align with Zero Trust principles from day one.

Solutions for Achieving Build DevSecOps Software Factory Part 1 (Activity 3.2.1)

Implementing Activity 3.2.1 requires defining new processes, adopting a standardized technology stack, and integrating security tools directly into the development pipeline.

  1. Establishing DevSecOps Best Practices and Policies:
  • The Enterprise defines a comprehensive set of security best practices for all stages of the DevSecOps lifecycle. This includes guidelines for secure coding, secure design principles (e.g., least privilege, secure defaults), and integration of security testing.
  • Develop policies for mandatory security gates within the CI/CD pipeline (e.g., no build proceeds if critical vulnerabilities are found).
  1. Implementing a Standardized CI/CD Pipeline Infrastructure:
  • Adopt a common set of tools and platforms for your CI/CD pipelines across Components. This promotes consistency in how software is built, tested, and deployed securely.
  • The pipeline serves as the automation engine for embedding security.
  1. Integrating Vulnerability Management into CI/CD Pipelines:
  • Integrate automated security testing tools directly into your CI/CD pipelines to identify vulnerabilities early and continuously. This can include a combination of Static Application Security Testing (SAST) into the code commit/build phase to analyze source code, Dynamic Application Security Testing (DAST) in the stating environments to test the running application. 

Relevant Technologies and Tools:

  • CI/CD Automation Servers/Platforms: Orchestrate the entire build, test, and deploy process. 
  • Code Repositories: Store and manage source code, enabling automated triggers for CI/CD pipelines. 
  • Security Testing Tools: Static Application Security Testing (SAST), Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST) tools.
  • Container Security Tools: For containerized applications, these scan container images for vulnerabilities and misconfigurations. 
  • Vulnerability Management (VM) Platforms: Centralize vulnerability findings from security testing tools for prioritization and tracking remediation.
  • Policy as Code (PaC) Tools: Define and enforce security and compliance policies directly in code, integrated into the pipeline.
  • Artifact Repositories: Store built software artifacts securely. 

For the Technical Buyer:


Activity 3.2.1 is your strategic investment in embedding security directly into the DNA of your software development process. It’s about moving from finding vulnerabilities late in the cycle to preventing them earlier and automating their detection throughout the CI/CD pipeline. For technical buyers, success here means prioritizing the adoption of a standardized DevSecOps technology stack and integrating automated security testing tools (SAST, SCA, DAST) directly into your pipelines. This ensures that security best practices are enforced by design and that vulnerability management is a continuous, automated part of your software factory. This foundational activity is essential for consistently delivering secure applications, significantly reducing risk, and aligning your development processes with the principles of Zero Trust.

Pillar: Application & Workload

Capability: Secure Software Development & Integration

Activity: 3.2.1 Build DevSecOps Software Factory Part 1

Phase: Target Level

Predecessor(s): None

Successor(s): 3.2.2 Build DevSecOps Software Factory Part 2

Technology Partners