Agencies Should Look Beyond DevOps to DevSecOps

As Federal agencies adopt DevOps practices to shorten development cycles and increase deployment frequency, security must be interwoven into every aspect of the process from design, through coding, testing, release, and operation.

DevOps, a moniker that is a combination of development and operations, is now morphing into DevSecOps as organizations and security professionals rethink how they develop, manage, and secure applications. A primary goal of DevSecOps is to break down barriers and open collaboration between development, security, and operations organizations. DevSecOps is a software engineering culture as well as a practice that advocates automation and monitoring throughout the software development lifecycle.

The Department of Agriculture is seeking support for DevSecOps as the department moves into Phase II of standing up its five IT Modernization Centers of Excellence (CoEs). In a solicitation released at the end of July, USDA said it is seeking “multiple pools of support to assist in cloud adoption, infrastructure optimization, data center consolidation, application migration, cloud portfolio management, and DevSecOps support.”

The Departments of Homeland Security and Veterans Affairs, General Services Administration and Environmental Protection Agency are among those breaking the mold in DevOps, Elizabeth Lawler, vice president of DevOps security with CyberArk, wrote in MeriTalk in May. So, it is highly likely that agency managers adopting DevOps will interweave security more into the process as they modernize information technology infrastructures, experts say.

Feds Moving to Software Factory Approach

“The Federal government has gotten very savvy about software development,” said Adam Clater, chief architect with Red Hat U.S. Public Sector. “What I’m beginning to see in the Federal government, at least in large programs where it is available, is a move to [the concept of] software factory development.”

This entails the development of a platform on which software is created, plus all the automation from code scanning to testing to operation. All of that will be owned and operated by an agency or contractor. “Who is going to own it? I don’t know, that will be [determined] agency by agency,” Clater said. “The important fact is that agency managers understand that they need rigorous standardization and automation to build applications because these processes will lead to scalability and better security.”

It is also important for agencies to recognize that DevSecOps is a cultural change. “For a lot of organizations, these meetings are the first time they have all three organizations together in the same room. That is amazing from a communications perspective, and empowering for everyone who has a seat at the table,” he said.

Clater recommended some points that agency managers should consider as they establish DevSecOps programs.

  1. Agencies should start small as they build a team. “You want to learn how your organization needs to change and adapt to the new practices and culture. So, start with a small, iterative process to learn and adapt,” he said.
  2. Celebrate success. Don’t be afraid to make mistakes or fail.
  3. Fail fast. This is not the concept that the entire initiative is going to fail. Instead, developers might write code today and commit it to the main branch finding that it doesn’t function or serve the needs of users as anticipated. The problem can then be resolved the next day, moving forward. Getting the total involvement of the team, having a small footprint, and small focus on daily changes adds up to greater progress as the application is built.
  4. Be able to adapt to change. There is a big focus in government and industry on moving to cloud infrastructures. The cloud and technology are constantly changing. So, success should be measured by how well your organization can adapt to change rather than a move of everything to the cloud.

Security Vulnerability Testing Lags Behind Threats

As threats increase and pressure to protect applications and data grows more intense, two new technologies, namely behavioral analytics and machine learning, are expected to help improve application and overall security, according to a report released by FreeForm Dynamics and CA Technologies.

“Today security testing of vulnerabilities always lags behind known threats, increasing the requirement for continuous testing throughout the entire software lifecycle. Machine learning (ML) and behavioral analytics may enable more prescriptive lifecycle vulnerability testing. But beyond this, ML could also soon make it possible for apps to be able to make decisions on sensitive data access in real time, essentially helping improve the security of the app as it is being used,” according to the report, Integrating Security Into The DNA of Your Software Lifecycle.

As Booz Allen Hamilton analysts Jimmy Pham and Bill Ott noted in their blog on 5 Myths of Adopting DevSecOps, agencies cannot buy DevSecOps. It is a methodology that lets cross-functional teams integrate technologies and collaborate during the software development lifecycle. Agencies can buy tools such as continuous integration and release management, “but it’s really your delivery teams that make it happen.” They are the ones driving continual improvement in this cultural and paradigm shift.

Recent