Since the development of the internet, IT professionals have been in an 鈥渁rms race鈥 with bad actors. DevOps emerged as a way to restructure the development process by bringing developers and operations teams together to create new applications, thus ending the cycle of vulnerabilities and software patches. But security still needed a seat at the table. The newest approach is DevSecOps 鈥 both a software engineering approach and a culture that promotes security automation and monitoring throughout the application development lifecycle. DevSecOps is designed to break down barriers to collaboration among development, operations and security teams so they all can contribute to creating new applications. Organizations can deploy new apps with secure, efficient, functioning code 鈥 but with security as the foundation. To learn more about how your agency can use DevSecOps to reduce lead and mean time, increase deployment frequency, and cut operation costs almost in half, get up to date with 鈥Agencies Build Foundation for DevSecOps Success,鈥 a guide created by GovLoop and 探花视频 featuring insights from the following technology and government DevSecOps thought leaders.
听
Embracing Machine Identity Management
鈥淥ne of the advantages of modern IT services is that they leverage both physical machines (computers and other devices) and virtual machines (e.g., applications, containers and code) to exchange data and execute tasks without human intervention. That makes it possible to design services that are fast, flexible and reliable. But it also raises an important security question: How do you know whether those machines can be trusted?听 That鈥檚 a question of identity management.鈥
Read more insights from Venafi鈥檚 Senior Product Marketing Manager, Eddie Glenn.
The Playbook for Innovating Quickly, Expansively and Securely
鈥淕overnment adoption times can be taken for granted 鈥 people aren’t surprised when something takes three years to build or 12 months to implement. Those are common refrains that often go unquestioned. They shouldn鈥檛. Cloud changed the game by allowing agencies to spin up networks instantaneously. And that was just the beginning. Throw in microservices architectures and agile development methods that have security and operations built in; now you鈥檙e getting down the court, faster than before.鈥
Read more insights from SAP NS2鈥檚 Cloud Director, Dean Pianta.
How Developers Can Become a Security Asset
鈥淲hen it comes to security, IT experts often talk about the importance of “shifting left,” that is, addressing security earlier in the development lifecycle. But it’s not just security that shifts left with DevOps. In traditional IT environments, developers were expected to adhere to a detailed IT architecture, which was updated periodically. To take advantage of today’s rapid rate of innovation in technologies and architectural approaches, agencies need to give developers more leeway to decide what languages, toolsets and capabilities they might need to build an application.鈥
Read more insights from Red Hat鈥檚 Cloud Native Transformation Specialist, Michael Ducy.
Enabling Agencies to Succeed with DevSecOps
鈥淚nstrumentation provides benefits both to the application security team and to developers. For the application security team, the tool soup approach often results in so much data, and so many false positives, that they have a difficult time gleaning intelligence from it. The unified picture provided by an instrumentation platform eliminates the noise so that the team can identify and remediate problems quickly. Instrumentation can also provide accurate feedback directly to developers, so that they can fix vulnerabilities as part of their normal work.鈥
Read more insights from Contrast Security鈥檚 Co-Founder and CTO, Jeff Williams.
听
DevSecOps Teams Require a Robust Orchestration Platform
鈥淒evSecOps, by definition, is intended to promote collaboration among the development, security and operations team. But Chow emphasized that such collaboration needs to begin at the outset of a project, when defining the goals and strategy for a project. The idea is to define the overarching goal or mission of the project, then have each team prioritize their own needs and goals as it relates to that mission, said Chow. Those secondary goals become the building blocks for the strategy and shapes the development and orchestration of the application pipeline, he said.鈥
Read more insights from F5鈥檚 Senior DevOps Solution Engineer, Gee Chow.
听
How Culture Drives DevSecOps Success
鈥溾橶hen people talk about DevSecOps, they often focus on improving communications between developers and the security team. But organizations need to foster open and transparent communications at every layer of management, from the top down,鈥 Urban said. In particular, developers can benefit from understanding how their work fits into the larger mission 鈥 and why particular security constraints are important. 鈥楪ood healthy communication means staying as open and transparent as you can be without compromising that security,鈥 he said.鈥
Read more insights from Atlassian鈥檚 Public Sector Evangelist, Ken Urban.
听
Modern Cloud Security Requires an Agile Approach
鈥淎utomation also paves the way to change how agencies approve IT systems for use. In a standard Authority to Operate (ATO) process, a system owner must implement, certify and maintain required security controls. The problem is that certification is based on a snapshot in time, whereas in modern cloud environments, change is constant. Systems can 鈥檇rift鈥 from compliance over time as new threats arise. Modern cloud solutions offer architectures leveraging containers that perform discrete tasks within a microservice environment and are in constant flux with application updates, vulnerabilities/threats, policies, etc.鈥
Read more insights from Palo Alto Networks鈥檚 Chief Security Officer of Public Cloud, Matt Chiodi, and Senior Product Manager, Paul Fox.
听
DevSecOps Drives Change at the Air Force
鈥淎nother challenge is how to change the culture at government agencies that are not used to major shifts in culture and may actually be averse to it. DoD is still full of silos, he said in October 2020 during Amazon Web Services鈥 National Security Series. 鈥業t goes down to even like basic partnerships.鈥 We have so many silos and that鈥檚 really part of the reason as to why we cannot really scale things, and why we reinvent the wheel and why we don鈥檛 do very well with enterprise services,鈥 Chaillan said.鈥
Read more insights from Air Force鈥檚 Chief Software Officer and Head of Platform One, Nicolas Chaillan.
听
Army Futures Command Makes DevSecOps a Long-Term Priority
鈥淔or agencies thinking of starting DevSecOps programs, Errico has advice: 鈥楽pend time conducting industry analysis of use cases both inside and outside the federal space. This is very much an emerging technology, and you have to figure out the right way it will fit for your organization. That takes time and thoughtful, honest analysis.鈥 Once the commitment is made and a DevSecOps program is in place, he said, comes the challenge of maintaining 鈥 and expanding 鈥 cultural change.鈥
Read more insights from the Army Futures Command鈥檚 Software Factory Lead, Maj. Vito Errico.
听
U.S. Transportation Command Cultivates a Team Mindset
鈥淯nlike Platform One or the Software Factory, the DevSecOps program at U.S. Transportation Command is embedded in a unified, functional combatant command that provides support to the other 10 U.S. combatant commands, the military services, defense agencies and other government organizations. That means it serves many kinds of military organizations, providing strategic mobility capability through its own vast infrastructure of people, information systems, trucks, aircrafts, ships, trains and railcars. It also means the command may consider itself a transportation organization or a strategic logistics organization, but it doesn鈥檛 necessarily view software as an essential element of its mission in the way the services do, for instance.鈥
Read more insights from U.S. Transportation Command鈥檚 Chief of DevOps, Christopher Crist.
Download the full GovLoop Guide for more insights from these DevSecOps thought leaders and additional government interviews, historical perspectives and industry research on the future of DevSecOps.
