Enhancing Container Security
DoD’s highly-automated Container Factory takes container instructions from the Repo One source code repository and validates and hardens the images. Hardened containers and documentation are then stored in the Iron Bank centralized artifacts repository. This process provides all DoD programs with ready access to hardened containers without having to continuously recertify. Applications running in these containers have been vetted and granted an Authority to Operate (ATO). Multiple USAF Programs, including the F-35 program, use these containers to support secure program development and operations.
Atlassian and Ascend have been working together to build and deploy hardened containers for Atlassian’s applications. DoD container hardening begins with an approved base operating system and automated build, test, scan process. Containers are first locally built and tested from pre-defined instructions, then scanned for vulnerabilities and exposures.
Ascend’s JetDock secure DevOps tool provides a centralized portal for automating the security scanning and build out and deployment of hardened containers. After the vulnerability scans, JetDock removes duplicates, false positives, and cleared vulnerabilities, providing an organized and graded list of containers. Any DoD agency or department can pull approved container images from Iron Bank and use the application in their own environments.
Continuous Security Measures
Hardening containers is an ongoing process, requiring images to be regularly updated so that their security functionality is kept current. JetDock keeps an eye on public repositories to see when a new version of an Atlassian tool is released and updates the container build files. After running a test build and scan, JetDock reconciles the security findings with previously answered, justified, and closed issues. The system then suggests possible justifications for new scan findings and provides a list of findings that require human attention. New justifications are stored for future automated scans.
How DoD Agencies Can Get Hardened DevSecOps Tools
DoD teams have ready access to Atlassian’s DevSecOps applications, such as Jira, Confluence, Bitbucket, and Bamboo, through the Platform One BOA 2 for Tools. The intent of the BOAs is to provide Government departments and agencies with an accelerated path to a vetted contractor pool. Leveraging the BOAs eliminates the need for individual defense program offices to conduct additional market research, and has been shown to cut the total acquisition time by over 75%.
Carahsoft, the trusted government Atlassian solutions provider, is the contracted source for Atlassian tools on the BOA 2 contract. The BOA is a new way for DoD teams to obtain Atlassian software. Ascend hardened containers, once accredited, will be available via Iron Bank. Continuing development and process streamlining are ensured through this multi-year contract. Support, services, and expertise surrounding the Atlassian product stack are also available through this BOA.