KR1 - DevSecOps Modelling Language (DOML)

Model the different elements of the application, data of the application and infrastructure by making use of abstractions 

  • Problem:

The problem that we are addressing is to improve the ability of (non-)expert DevSecOps teams to model provisioning, deployment and configuration needs in complex contexts by providing a set of abstractions of execution environments and composing them into machine-readable representations. 

  • Solution:

DOML is the end-user language enabling the modelling of deployment and configuration of complex infrastructural software in a way that can then be transformed by ICG [KR3] in executable IaC. Such a language allows DevSecOps teams to select and combine abstractions with the purpose of creating a correct infrastructure provisioning, configuration management, deployment and self-healing model. 

  • Value:

DOML language for expressing user-defined properties allows DevSecOps teams to select and combine the abstractions with the purpose of creating a proper infrastructure provisioning, configuration management, deployment and self-healing model.  

KR2 - PIACERE Integrated Development Environment (IDE)

A single window to access PIACERE’s innovative technology and to allow DevSecOps teams to better leverage all its benefits in an easy manner 

  • Problem:

It is usually hard to group all the tools for the customers to work more comfortably, ensuring efficiency through ease of use. 

  • Solution:

The PIACERE IDE is built with the purpose of creating a user-friendly environment to enable the creation of DOML models [KR1], their verification through AVT [KR5], the generation of the corresponding IaC through the ICG [KR3], the security code inspector [KR6], the security components inspector [KR7] and the DOML extension mechanisms [KR4]. The IDE will also incorporate the DOML Extension Mechanisms that will enable user experts in operation aspects to extend DOML to account for new technological evolutions. 

  • Value:

The IDE is an open-source integrated framework gathering key results of PIACERE in a unique environment extensible to new tools. 

KR3 - Infrastructural Code Generator (ICG) 

You can generate infrastructural code from models written in DOML

  • Problem:

There are many IaC languages, and it is difficult to know them all. 

  • Solution:

The ICG is a code generator, built in the context of PIACERE, which will transform the models into infrastructural code from different IaC languages.

  • Value:

The ICG is versatile covering the more common IaC languages, and is extensible through new templates to support new primitives and new target platforms.

KR4 - DOML Extension mechanism (DOML-E) 

We provide you with the means for new IaC languages, protocols, elements and so on to be included in PIACERE so as to ensure the longevity of the solution 

  • Problem:

The fast evolution of the cloud computing state-of-the-art, including mechanisms to extend itself easily, adding more concepts and properties to existing ones.

  • Solution:

The DOML extension mechanisms (DOML-E) are setting up the basic elements that will allow creating new concepts and properties in the top layers. It is providing possibilities for end user to create new concepts that are currently not available in DOML to extend the functionalities. 

  • Value:

DOML-E supports extensions for future protocols, infrastructure and network elements, languages in an easier way. The provided extensibility mechanisms (DOML-E) shall ensure the sustainability and longevity of the PIACERE approach and tool-suite (new languages and protocols that can appear in the near future). 

KR5 – Verification Tool (VT)  

Apply static analysis to both the abstract model and the related infrastructural code, to execute

  • Problem:

It is sometimes difficult to identify incorrect models and code 

  • Solution:

VT is a suite of static analysis and model checking tools aiming at supporting verification of correctness, safety, performance and data transfer privacy of all application components 

  • Value:

The main advantages of VT translate into the safety, performance, and privacy properties related to the exchange of data 

KR6 – IaC Code Security Inspector 

Check the IaC code against known cybersecurity issues, consistency checks and other quality verifications according to identified best practices 

  • Problem:

Misconfigurations, insecure coding and configuration patterns are common and, as of now, there is little to no way of checking the correctness of deployment scripts done by users. As such the trust in the automated deployment systems is very limited, especially when approaching new users/customers that have no experience in automated or continuous deployment systems. The verification tool provides and automated solution for checking the integrity and applicability of IaC code that is to be deployed on an infrastructure. 

  • Solution:

The IaC Code Security Inspector is an analyser of the IaC and the application code (when available), using Static Analysis Security Testing (SAST) tools and checking the IaC code against the known cybersecurity issues (misconfigurations, use of non-secure libraries, non-secure configuration patterns) consistency checks and other quality verifications according to identified best practices. 

  • Value:

Automatic static code inspection is done by the verification of the IaC code for errors through the VT that reports back to the user with a set of error reports and also recommendations where inefficiencies are in his code. The main selling point of the solution is that this step in the deployment process can be fully automated and integrated into the deployment pipeline or done manually as a once off process for a selected part of the IaC code. 

KR7 – Component Security Inspector 

Analysing also the IaC code, reports the potential vulnerabilities and proposeing potential fixes 

  • Problem:

The dependency of information from the IaC and application code, with the danger of having included infected programs and libraries with known vulnerabilities. 

  • Solution:

An analyser and ranker of components (libraries, middleware) from a security point of view, able to detect included programs and libraries with known vulnerabilities by querying public vulnerability databases, and produce a report to the PIACERE user. 

  • Value:

The insurance guaranteed by the analysis of dependencies of the target application to check for security vulnerabilities. 

KR 8– Canary Sandbox Environment (CSE)  

We allow unit testing of the behaviour of the infrastructural code on an isolated environment, which would enable the simulation of conditions for the production environment and identify some of the most common anti-patterns 

  • Problem:

Currently there is no out of the box solution to make a test deployment, with real infrastructure deployment, but in the sandbox (controlled) environment. 

  • Solution:

Canary Environment provides a controlled environment based on Open Stack which allows deploying a real application in a controlled way to make all of the tests (functional, security, performance, etc) in this environment before deploying to production. 

  • Value:

Currently, the only option is to deploy directly to the cloud, without any ability and verification that it is a similar environment to the production one. Canary Environment allows making controlled deployment and tests before deployment to the production environment, which will minimize the negative impact on production in case of bugs or misconfiguration. 

KR9 - IaC Optimized Platform (IOP) 

The most appropriate deployment configurations that best meet their defined constraints out of DevSecOps catalogue of services, resources and infrastructural elements by means of optimization algorithms. 

  • Problem:

The main problem is to develop a tool flexible enough to be able to meet the different heterogeneous needs of the users. Each user has his/her own needs, and the IOP should provide solutions adapted to these needs. 

  • Solution:

The IOP provides to the user the posibility of obtaining optimized deployments based on his/her needs. The IOP is flexible enough to allow the user to define which objectives should be optimized (such as the cost and the performance), and which are the main requirements that should be met (such as a minimum availability or the use of the resources of a certain provider). The solutions are provided to the user in a ranked way, in order him/her can choose that one that fits better his/her needs. 

  • Value:

The IOP is an optimization tool which is capable of model and solve single-objective, multi-objective and many-objecive optimization problems depending on the user need. Also, the user is able to introduce its non-funcional requirements, requiring to the algorithm to build the optimization search space acordingly. 

KR10 - IaC Execution Manager (IEM)

Automatically plan, prepare, and provision the infrastructure and plan, prepare, and install the corresponding software elements needed for the application to seamlessly run 

  • Problem:

Develop and maintain infrastructure as code for heterogeneous infrastructures and different phases (configure, provision, deploy, orchestrate), supporting multilingualism with one tool. The IEP also allows to re-deploy new infrastructural code for a new configuration for the same application in an automatic way without manual intervention. 

  • Solution:

The IEM provides a common interface to deploy multilingual IaC projects from within a common environment. It provides means for the deployment, redeployment, and tearing down of the different infrastructural devices and applications of a given project. In addition, it supports the provisioning, configuration, and orchestration of the production deployments. 

  • Value:

The IEM provides a tool for automatic, parametrizable, and therefore faster and easier execution, orchestration and deployment of IaC code on heterogeneous (cloud) environments, with the unique feature of supporting partial re-deployments and reconfigurations. 

KR11 - PIACERE Self-learning and self-healing mechanisms

Ensure that the conditions of the QoS are met at all times and that a failure or non-compliance of NFRs is not likely to occur 

Problem: 

Solution: 

Value: 

KR12 - Runtime security monitoring

Verify any security violation at runtime 

  • Problem:

Need for monitoring stack for the run-time conditions so that the self- learning and self-healing mechanisms can be fed. 

  • Solution:

Monitoring system capable of detecting security-related events and incidents in the deployed application's environment. It is (to the extent possible) deployable automatically and notifies users about security alerts. 

  • Value:

This monitoring system allows to create informative metrics/variables with significant discriminative power. 

KR13 - PIACERE DevSecOps framework

Integrate into a single platform and in a comprehensive DevSecOps methodology for IaC all KRs 

  • Problem:

Lack of robust and comprehensive DevSecOps methodology that can support developers in the implementation of workflows and technologies. 

  • Solution:

An Integrated framework with all KRs in PIACERE DevSecOps methodology, supported by the state-of-the-art research and development. 

  • Value:

To have a comprehensive DevSecOps framework based on a robust methodology in which to appropriately build technologies and workflows.

KR14 - PIACERE Use cases

We offer PIACERE partners the possibility to assess the usefulness and suitability of the PIACERE approach and toolset in real industrial cases from important and challenging application domains 

  • Problem:

Due to the novelty of the DevSecOps paradigma, there is a lack of examples across industries where the efficiency could be evaluated and represent a vehicule for implementation. 

  • Solution:

The implementation of the above KRs in the distinct contexts of smart logistics, 5G telecommunication and public administration. 

  • Value:

The evaluation of efficiency from the implementation of the DevSecOps methodology, technologies and workflows, followed by success stories and best practices.