FFN Expert Edition November DevSecOps Blog Preview Image 2022

Best Practices for Implementing DevSecOps

By The Carahsoft Team |

November 28, 2022

It’s not surprising that the development, security and operations approach to building software is the darling of IT teams across the government. It’s essential given the current mandate that agencies move toward zero trust environments. Having secure software is fundamental, and DevSecOps helps agencies get there and deliver user-tailored applications faster. Less clear is the best path for implementing DevSecOps. That’s in part because the missions and goals of agencies vary. No matter where your agency is on adopting DevSecOps, it’s critical to realize that — like most things IT — moving to a methodology for software that integrates development, security and operations is not just a matter of making the right technology choices. There’s a major people and workflow component that requires people teaming up and collaborating in new ways. Download the guide to learn how the lessons learned by federal agency and industry experts will help you as your agency embraces DevSecOps.

 

5 Essential Ingredients to Make DevSecOps the Heart of Your Agency’s Digital Transformation

“There’s no denying the value of a development, security, operations approach to creating software and applications. Here’s why: ‘The government is building better quality software. They are getting it deployed faster. Security teams are involved in the beginning, middle and end — every step along the way,’ said Adam Clater. But beyond the blending of an agency’s development, security and operations teams, what are those must-haves to make DevSecOps succeed and drive digital transformation? Clater identified five critical elements necessary to DevSecOps and establishing a continuous integration and continuous deployment pipeline. That CI/CD pipeline serves as the agile workflow conduit for DevSecOps, he said.”

Read more insights from Adam Clater, Chief Architect for North America Public Sector at Red Hat.

 

FFN Expert Edition November DevSecOps Blog Embedded Image 2022 How Effective DevSecOps Enables More Secure Software Development

“The legacy model of software development is one of the biggest roadblocks to delivering secure applications at the speed that modern consumers and citizens expect. Taking a manual approach to security after the initial development build can leave teams with a remediation timeline measure in weeks, if not months. That’s why it’s important for federal agencies to adopt a development, security and operations (DevSecOps) approach, which weaves security into every step of software development from design to build and beyond. Unifying development and security processes while also automating scanning throughout the application lifecycle — not just during development — can help agencies deliver more secure software faster and at a lower cost, better positioning themselves to adopt a zero trust architecture.”

Read more insights from Ted Rutsch, Federal Sales Manager at Invicti Security.

 

Embracing DevSecOps Requires a Mindset Shift and Simple (Not Simplistic) Tools

“DevSecOps — development, security and operations — is the new standard for delivering secure software at the pace that customers and citizens expect from their government today. This is accomplished by integrating security with development and operations teams at the start of the process. But despite its focus on delivering technology-enabled solutions that ensure security is considered from the very beginning rather than an afterthought, what often gets lost in the shuffle is that technology is only one component. DevSecOps requires a mindset shift that revolves around people and processes just as much as technology.”

Read more insights from Joe Bleich, Director of Sales at Datadog.

 

Lesson Plan for Accelerating Adoption of DevSecOps in Your Agency

“DevSecOps teams have a reputation for being able to ship secure software quickly, and that has a lot to do with software being assembled from open source libraries and not built from scratch. A recent Gartner report shows 70% of software is built using open source packages, and an average of 75% of these packages have vulnerabilities at any point in time. Teams that don’t prioritize continuous visibility on their security posture are at risk. And they could be building on top of vulnerable systems with unresolved day zero vulnerabilities. But it’s possible to mitigate the risk by leaning into continuous transparency throughout the development stack.”

Read more insights from Atlassian’s Senior Designer, Nupur Aggarwal, and Senior Product Manager, Andrew Pankevicius.

 

How to Structure a Successful Software Factory

“One of the best ways government can begin to facilitate this mindset shift is to cultivate the right leadership. Oti said the first step is to hire leadership based off capabilities rather than career field. It doesn’t matter if a software development team is led by an engineer, data scientist or program manager. What matters is that person has the vision and skill sets to lead a cross-functional team. If delivering high-quality software is the highest priority for a development team, then a proven ability to deliver needs to be the highest priority in choosing its leadership. And because DevSecOps requires the integration of multiple (traditionally stove-piped) job functions, cross-disciplinary empathy and understanding is also an important metric in gauging potential leadership for a development team. Degrees and seniority are irrelevant, Oti said. In the Air Force, successful software development teams are led by officers, enlisted Airmen, civilians and even contractors.”

Read more insights from Enrique Oti, Chief Technology Officer at Second Front Systems.

Download the full Expert Edition for more insights from these DevSecOps thought leaders and additional government interviews, historical perspectives and industry research.


Related Articles