The significance of software has recently grown to the point of merging the role of software developers with that of infrastructure operators, of which the main focus is the automation of infrastructure-related activities through the use of trustworthy software (secure, correct and reliable IaC), giving birth to the Infrastructure as Code trend considered as the engine of the DevSecOps movement.
DevSecOps is an organizational change that consists of using software engineering tactics that reduce the technical and organizational distance between development and operation, leading to the creation of a single, well-coordinated team of people. It also stands for the correctness, trustworthiness and security of the code along all its development and operation lifecycle.
Figure 1. PIACERE KRs' value chain
Our main goal is to allow the DevSecOps team to work with infrastructural code as they do with traditional application code, starting from the definition of requirements for the infrastructure – such requirements are expressed in terms of technical capabilities the application-level software should offer – to the design, implementation, verification, deployment, testing, operation and monitoring of such infrastructural code.PIACERE is designing and implementing tools for IaC developers to realize the DevSecOps approach a set of Key Results (KRs) [include the link to KRs].
As part of the PIACERE exploitation strategy we have grouped these KR into exploitable Results (i.e., the inovation assets produced in the lifetime of the project with biggest potential both in a OSS community context or in a commercial context) into the three phases Dev/Sec/Ops.
We have also prioritized them based on the internal analysis in the consortium and considering different relevant aspects such as IP rights, interest from the partners on the commercialization, market watch and competitors’ analysis among others.
As part of this reflection , we have ended up with the first triplet of PIACERE Key Exploitable Results, one per phase for which a detail exploitation roadmap has been designed. In the upcoming months, new Key Exploitable Results will be incorporated to this list, enriching the dimensional view of each KER.
KER 1: IaC DEV
DOML - DevSecOps Modelling Language- Improve the ability of (non-)expert DevSecOps teams to model provisioning, deployment and configuration through the abstraction of execution environments
DOML improves the ability of (non-)expert DevSecOps teams to model provisioning, deployment and configuration needs in complex contexts by providing a set of abstractions of execution environments and composing them into machine-readable representations. It allows DevSecOps teams to select and combine the abstractions with the purpose of creating a correct infrastructure provisioning, configuration management, deployment and self-healing model.
KER2: IaC SEC
IaC Code Security Inspector (ICSI) - Regain trust in IaC through the automation of IaC code quality checking for errors and thus improving IaC integrity and applicability
The ICSI technology can check the IaC code for errors and report back to the user with a set of error reports and also recommendations where inefficiencies are in his code. With it PIACERE is addressing the lack of tailored solutions for checking the integrity and applicability of IaC code to be deployed on an infrastructure provided by the verification tools, leading to very limited trust in the automated deployment systems.
KER3: IaC OPS
IaC Execution Manager- Avoid vendor lock-in and time consuming manual processes in infrastructure management, while increasing resilience and supporting self-healing
IEM is helping to develop and maintain infrastructure as code for heterogeneous infrastructures and different phases (configure, provision, deploy, orchestrate), supporting multilingualism with one tool. It is a platform to automatically plan, prepare, and provision the infrastructure and plan, prepare, and install the software elements needed for the application to seamlessly run.