Achieving gains in government IT performance with DevSecOps
A software development team in the Boston office of Kessel Run, a program within the DOD’s Defense Innovation Unit (U.S. Air Force photo by J.M. Eddins Jr.)
Eli Whitney, the inventor of the cotton gin, demonstrated the value of interchangeable parts in 1801 to the U.S. Congress, President John Adams and President-elect Thomas Jefferson. Whitney proved the viability and the military value of interchangeable parts by stripping down several muskets, then reassembling a functional musket from random parts from the disassembled muskets.
Today, we take for granted that parts are interchangeable — from the bolt carrier of a rifle to the alternator on a transport vehicle, we assume that one is as good as another. But, as with information systems developed today, muskets of that era were bespoke artisanal creations. The parts for any given firearm were custom fitted to accommodate the variation in manufacturing for the other components comprising the whole. A gunsmith would be necessary to replace the hammer or pan of a musket and return it to working condition. The same can be said for information systems today that often require a specialist or team of specialists to configure, deploy, modify or repair in the instance of a failure.
To address the bespoke nature of information systems and to gain the same types of benefits for information systems that interchangeable parts brought to manufacturing, the Department of Defense is adopting DevSecOps. It’s an approach that has seen accelerated growth in the public sector over the last two years, especially within DOD and warrants a closer look.
First, what is DevSecOps? DevSecOps is a combination of processes, tools and people, which combine with enterprise values across the disciplines of Development, Security and Operations. DevSecOps form a unique culture to enable more efficient delivery and management of secure software.
The integration of security augments the DevOps practices seen in industry. It’s important to integrate security throughout the process in government adoption to effectively reap the benefits of iterative improvements. Traditional development processes more often incorporate security as a checkpoint that needs to be passed, but does not integrate security concerns throughout the process. DevSecOps elevates security into a first-class citizen, instead of a bolt-on checkpoint. The adoption of DevSecOps is extensive across the federal government including the General Services Administration, Air Force, Army and Navy.
From a process standpoint, DevSecOps can be seen as an extension beyond the software development lifecycle practices found in agile development and Continuous Integration and Continuous Delivery (CI/CD) methodologies to improve the operational behaviors of the deployed system, including security. Taking the principles of continuous deployment, applying them to operations management and introducing configuration as code, operational tasks can be automated and through this automation, increasing resiliency.
Ultimately, the result can be push-button automation — the ability to completely redeploy a component of infrastructure from bare metal to full operational capability by kicking off the appropriate automation playbook.
The list of tools utilized in DevSecOps are myriad. It’s more important to have the right classes of tools than to have precisely the same tools as another DevSecOps-practicing organization might use. DevSecOps is a combination of all three pillars of processes, tools and people — there is no single product that can be purchased. Unfortunately, there’s no such thing as a DevSecOps box we can install in a datacenter.
The collection of tools are focused around source code version control, build automation, test automation, security validation, performance testing, configuration management and extend into project management systems that permit prioritization, issue tracking and team collaboration.
The people component of DevSecOps is often the most challenging in the DOD. Conway’s Law says that organizations tend to build products with a design that reflects the communication structure of the organization. Organizations organized into silos trend toward applications built into silos. With the tight integration of roles required for effective DevSecOps adoption, many government agencies are seeing a need to flatten their organization structure and integrate IT professionals into cross-functional teams aligned across a product, rather than maintaining role based internal organizations that communicate through ticketing systems.
This restructuring and alignment of personnel helps drive results-driven outcomes by bringing everyone together, working toward the same goal: the successful release of their product.
DevSecOps brings several advantages to the table for DOD agencies, including shorter time to value, faster iteration to field new capabilities and moving risk left. The most valuable advantage is shortened time to value, whether that value be measured as innovation, reliability, or reduced rollout lead time.
The Waterfall process, the most common traditional development process, however, focuses on extensive requirements documentation and development up front. This can set goals for the development of features and capabilities for the first release of a product that do not all have significant impact or provide wide-reaching value across the user base. DevSecOps is able to bring more value to the enterprise, more quickly, through its iterative feedback process.