Since the development of the internet, IT professionals have been in an “arms race” with bad actors. DevOps emerged as a way to restructure the development process by bringing developers and operations teams together to create new applications, thus ending the cycle of vulnerabilities and software patches. But security still needed a seat at the table. The newest approach is DevSecOps — both a software engineering approach and a culture that promotes security automation and monitoring throughout the application development lifecycle. DevSecOps is designed to break down barriers to collaboration among development, operations and security teams so they all can contribute to creating new applications. Organizations can deploy new apps with secure, efficient, functioning code — but with security as the foundation. To learn more about how your agency can use DevSecOps to reduce lead and mean time, increase deployment frequency, and cut operation costs almost in half, get up to date with “Agencies Build Foundation for DevSecOps Success,” a guide created by GovLoop and Carahsoft featuring insights from the following technology and government DevSecOps thought leaders.
Embracing Machine Identity Management
“One of the advantages of modern IT services is that they leverage both physical machines (computers and other devices) and virtual machines (e.g., applications, containers and code) to exchange data and execute tasks without human intervention. That makes it possible to design services that are fast, flexible and reliable. But it also raises an important security question: How do you know whether those machines can be trusted? That’s a question of identity management.”
Read more insights from Venafi’s Senior Product Marketing Manager, Eddie Glenn.
The Playbook for Innovating Quickly, Expansively and Securely
“Government adoption times can be taken for granted – people aren’t surprised when something takes three years to build or 12 months to implement. Those are common refrains that often go unquestioned. They shouldn’t. Cloud changed the game by allowing agencies to spin up networks instantaneously. And that was just the beginning. Throw in microservices architectures and agile development methods that have security and operations built in; now you’re getting down the court, faster than before.”
Read more insights from SAP NS2’s Cloud Director, Dean Pianta.
How Developers Can Become a Security Asset
“When it comes to security, IT experts often talk about the importance of “shifting left,” that is, addressing security earlier in the development lifecycle. But it’s not just security that shifts left with DevOps. In traditional IT environments, developers were expected to adhere to a detailed IT architecture, which was updated periodically. To take advantage of today’s rapid rate of innovation in technologies and architectural approaches, agencies need to give developers more leeway to decide what languages, toolsets and capabilities they might need to build an application.”
Read more insights from Red Hat’s Cloud Native Transformation Specialist, Michael Ducy.
Enabling Agencies to Succeed with DevSecOps
“Instrumentation provides benefits both to the application security team and to developers. For the application security team, the tool soup approach often results in so much data, and so many false positives, that they have a difficult time gleaning intelligence from it. The unified picture provided by an instrumentation platform eliminates the noise so that the team can identify and remediate problems quickly. Instrumentation can also provide accurate feedback directly to developers, so that they can fix vulnerabilities as part of their normal work.”
Read more insights from Contrast Security’s Co-Founder and CTO, Jeff Williams.
DevSecOps Teams Require a Robust Orchestration Platform
“DevSecOps, by definition, is intended to promote collaboration among the development, security and operations team. But Chow emphasized that such collaboration needs to begin at the outset of a project, when defining the goals and strategy for a project. The idea is to define the overarching goal or mission of the project, then have each team prioritize their own needs and goals as it relates to that mission, said Chow. Those secondary goals become the building blocks for the strategy and shapes the development and orchestration of the application pipeline, he said.”
Read more insights from F5’s Senior DevOps Solution Engineer, Gee Chow.
How Culture Drives DevSecOps Success
“’When people talk about DevSecOps, they often focus on improving communications between developers and the security team. But organizations need to foster open and transparent communications at every layer of management, from the top down,’ Urban said. In particular, developers can benefit from understanding how their work fits into the larger mission – and why particular security constraints are important. ‘Good healthy communication means staying as open and transparent as you can be without compromising that security,’ he said.”
Read more insights from Atlassian’s Public Sector Evangelist, Ken Urban.
Modern Cloud Security Requires an Agile Approach
“Automation also paves the way to change how agencies approve IT systems for use. In a standard Authority to Operate (ATO) process, a system owner must implement, certify and maintain required security controls. The problem is that certification is based on a snapshot in time, whereas in modern cloud environments, change is constant. Systems can ’drift’ from compliance over time as new threats arise. Modern cloud solutions offer architectures leveraging containers that perform discrete tasks within a microservice environment and are in constant flux with application updates, vulnerabilities/threats, policies, etc.”
Read more insights from Palo Alto Networks’s Chief Security Officer of Public Cloud, Matt Chiodi, and Senior Product Manager, Paul Fox.
DevSecOps Drives Change at the Air Force
“Another challenge is how to change the culture at government agencies that are not used to major shifts in culture and may actually be averse to it. DoD is still full of silos, he said in October 2020 during Amazon Web Services’ National Security Series. ‘It goes down to even like basic partnerships.… We have so many silos and that’s really part of the reason as to why we cannot really scale things, and why we reinvent the wheel and why we don’t do very well with enterprise services,’ Chaillan said.”
Read more insights from Air Force’s Chief Software Officer and Head of Platform One, Nicolas Chaillan.
Army Futures Command Makes DevSecOps a Long-Term Priority
“For agencies thinking of starting DevSecOps programs, Errico has advice: ‘Spend time conducting industry analysis of use cases both inside and outside the federal space. This is very much an emerging technology, and you have to figure out the right way it will fit for your organization. That takes time and thoughtful, honest analysis.’ Once the commitment is made and a DevSecOps program is in place, he said, comes the challenge of maintaining — and expanding — cultural change.”
Read more insights from the Army Futures Command’s Software Factory Lead, Maj. Vito Errico.
U.S. Transportation Command Cultivates a Team Mindset
“Unlike Platform One or the Software Factory, the DevSecOps program at U.S. Transportation Command is embedded in a unified, functional combatant command that provides support to the other 10 U.S. combatant commands, the military services, defense agencies and other government organizations. That means it serves many kinds of military organizations, providing strategic mobility capability through its own vast infrastructure of people, information systems, trucks, aircrafts, ships, trains and railcars. It also means the command may consider itself a transportation organization or a strategic logistics organization, but it doesn’t necessarily view software as an essential element of its mission in the way the services do, for instance.”
Read more insights from U.S. Transportation Command’s Chief of DevOps, Christopher Crist.
Download the full GovLoop Guide for more insights from these DevSecOps thought leaders and additional government interviews, historical perspectives and industry research on the future of DevSecOps.