DevSecOps Puts Security at the Heart of Program Development: SPONSORED
Methodology builds cyber considerations into DOD programs from the beginning.
The Department of Defense is rethinking how it approaches software and systems development in its technology programs by using more flexible methods to streamline the process and to improve cybersecurity from the start.
Because traditional DOD program development processes don’t have the speed and flexibility to keep up with rapid technological changes or fast-paced modern adversaries, new methodologies are being considered. One approach gaining traction in many parts of the DOD is Development, Security and Operations, or DevSecOps.
At its simplest, the goal of DevSecOps is to make everyone in a program accountable for security with the goal of implementing security decisions and actions at the same scale and speed as development and operations decisions and actions. DevSecOps differs from both the traditional Waterfall project delivery method approach to DOD programs, which focuses on product delivery, time frames, and coordinating those activities, and the modern Agile development methodologies.
DevSecOps Versus Agile Development
Agile development methodologies that emphasize iterative development cycles and feedback to find and correct errors throughout the software building process have become more common in federal government technology programs. “DevSecOps often gets confused as either another name for Agile development or an offshoot of it in the DOD community,” says Derek Strausbaugh, chief digital officer for Microsoft’s National Security Business.
“While DevSecOps does build on some Agile development principles, such as the continuous integration and delivery of software systems in cycles, its key emphasis from the beginning of the process is to integrate security features: Agile only focuses on delivering software,” Strausbaugh explains.
“You’re really taking security and putting it on the same level as continuous integration and delivery. So it’s not just Agile development, it’s actually creating another leg of the stool for quality from the get go, and integrating your developers, security and your operations functions into the software development lifecycle,” he says.
In a standard Waterfall or Agile program scenario, one team of developers builds an application and then hands it off to another group to install security or other features. DevSecOps shifts left security accountabilities, allowing programs to operate more efficiently and to create more organizational awareness when problems do show up.
“DevSecOps also helps with software and technology development pipelines. This is important because it is possible for programmers to build code and deliver products without understanding the infrastructure underpinning it,” says Zach Kramer, Microsoft’s Azure Government engineering lead. He adds, “This can make it hard to understand a project’s full security footprint, which is where Microsoft Azure and other cloud providers can help provide developers with a full view of the situation.”
“This approach not only helps with code and the underlying software infrastructure, but provides programmers with a standard set of telemetry and a top-to-bottom understanding of the platform they’re working on,” Kramer says. Another advantage of DevSecOps is that it shifts the program manager’s perspective from making sure that software is in compliance or meets a specification or audit to ensuring that the code is written correctly and securely and that it’s deployed in a repeatable manner. This is important because it ensures that a project can provide continuous software delivery at scale.
“If I’m not sure my application is still secure between build one and build two, then I have no chance of doing continuous delivery,“ Strausbaugh explains. “With the right DevSecOps practices in place, I ensure that continuous integration checks take place for the right security areas in order to achieve continuous delivery.”
DOD Applications and Changing Culture
DevSecOps fits into the DOD’s modernization strategy to upgrade legacy systems and incorporate new capabilities such as machine learning or artificial intelligence into its mission. “From a military perspective, it is about increasing velocity—speeding up decision making and operational effectiveness rather than simply delivering software,” says Strausbaugh.
The core aspects of DevSecOps such as providing predictable software delivery and ensuring that that software is secure from cyber attack fit into the military’s view of future multidomain missions. “This is important because if a modern command and control system can be compromised by a cybersecurity vulnerability, that liability can undermine an entire military operation,” Strausbaugh says.
“At the bottom line, DevSecOps is about predictability and speed of delivery while ensuring security. While Agile development quickly produces code that can be deployed to warfighter applications with a repeatable frequency, it runs up against security and operational considerations such as round-the-clock operations and cyber defense,” Kramer says.
“As a methodology, there are a variety of tools and development container framework products organizations can use to help with DevSecOps applications. But it is more about the methodology and approach to building a trusted execution environment that is secure and scalable, without having to be locked into any kind of single source provider,” says Strausbaugh.
Organizations previously mitigated risks through complicated layers of approvals and checks, which slowed delivery in an attempt to reduce risks. These processes still did not eliminate risks but gave a level of comfort to those who approve applications for production. Strausbaugh maintains that while DevSecOps may seem uncomfortable, putting the right practice in place enables a better security posture and faster innovation and ability to respond quicker when the inevitable problem arises.
Organizations also need to evolve certain aspects of their internal cultures to get a DevSecOps program off the ground because the methodology creates a new way to look at a system’s stakeholders.
Strausbaugh notes that Agile development involves the owners of the application or system being built into the process. DevSecOps continues this evolution by bringing “the type of folks you absolutely have to have at the table, and including all the skills you need to have.”
DevSecOps requires teamwork because the goal is creating something to support warfighters and that requires both operational and security responsibilities. The methodology also requires a change in some of the developer skills sets because they need to do much more than write good code.
“It requires developers who are well-rounded and have an eye on writing secure code and code that doesn’t put an operational burden on the organization,” Strausbaugh explains.
People working in this environment also need to accept change as a constant for software development, delivery and sustainment. This requires a cultural shift to create a greater sense of individual accountability, which makes the entire end-to-end process more critical to the overall outcome, Kramer says.
Automation is Key
Automation is another important aspect of the DevSecOps process, especially when deploying software at scale across large DOD agencies or entire services. But these large-scale, fast-paced operations often have problems caused by human error that usually occurs in repetitive, maintenance and security assessment functions. The best way to avoid such common mistakes is to automate those processes.
“If I can get a set of functions to be repeatable and known, I reduce error,” Kramer says. “That means my deployments should not be a human following a script. They should be automated with infrastructure as code. If I’m updating it, it should be done with the same infrastructure-as-code that did my deployment.”
“This same approach applies to security. Instead of requiring a person to go through checklists of hundreds of controls, this is done automatically as part of the software development/supply process pipeline. That transition to automating these basic processes is at the heart of DevSecOps,” Kramer says.
“Automation also frees up personnel who would be doing these manual tasks for other, more challenging and creative things. This also helps prevent employee burnout because the automated processed built into DevSecOps helps manage rote maintenance and security operations and it allows for operational rollbacks if a problem is found so that instead of having developers work overnight to solve a problem, it can be identified and dealt with the following day,” Kramer says.
Growing Use Across DOD
DevSecOps is beginning to make inroads into the DOD. Strausbaugh sees two areas where this is happening. The first is in large scale software “factory” type development programs now underway in technology hubs across the military for developing systems to support warfighters.
The second area embracing DevSecOps is in programs where a major challenge for sustaining the project’s software systems turned out to be monolithic design processes that don’t deliver enough software iterations or updates with the frequency to catch major security vulnerabilities. These systems are also too slow to keep ahead of new capabilities developed by potential U.S. adversaries.
As result of global competitive pressure, some of the DOD’s largest platforms and intelligence, surveillance and reconnaissance (ISR) systems are considering DevSecOps as a way to redesign or move away from software systems developed decades ago.
Another plus is a new generation of younger military and civilian personnel in the DOD who are comfortable with technology and using it in new ways. Strausbaugh notes that there has been a sea change in the DOD in terms of moving to and using cloud-based services and also the adoption of modern software development techniques at many of the military’s tech development centers.
“They’re building microservices architecture and consuming cloud services and looking at commercial as a goal post for the way they should be doing things rather than boxing themselves into the misnomer that the DOD has to do things a certain way just because of history or security,” Strausbaugh says.
Strausbaugh sees the move toward development strategies like DevSecOps accelerating throughout the military. This is reflected by the fact that the DOD is actively working with its industry partners to provide support and to make commercial tools and techniques available because the services are seeing the benefits of their use, he says.