Apr 07 2020

NIST Considers DevSecOps Framework for Agencies

Building security into the software development process could save feds time and make applications more secure from the start.

Federal agencies are increasingly embracing the DevOps methodology to enhance collaboration between their IT operations staff on testing and quality assurance to develop software more quickly and automate infrastructure changes. The third leg of the stool, however, is IT security, and more could soon be occurring on the related front of DevSecOps. 

The National Institute of Standards and Technology is considering creating a DevSecOps framework for agencies to make embedding security controls at the beginning of the software development lifecycle a common practice. 

As Red Hat notes in a post, DevSecOps “means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down.”

According to FedScoop, NIST is “currently gathering information on products developed using DevSecOps, an organizational philosophy that combines agile software development, security testing and tools for rapid delivery of applications and services.”

Ron Ross, a NIST fellow, tells FedScoop that such information will be distilled into guidance from NIST on DevSecOps that, while offering a clear perspective, will be designed to let agencies innovate on DevSecOps implementations. 

“To me the biggest benefit that the feds will see out of this is that it’s going to give them better transparency into the products that they’re buying and the systems they’re building, because, right now, a lot of that complexity is really beyond their reach,” Ross tells FedScoop. “They know the controls they need to implement, but a lot of that stuff is done in industry.” 

The Benefits of DevSecOps in Government

As Red Hat notes, DevSecOps is about “built-in security, not security that functions as a perimeter around apps and data.” If security is not integrated at the front of software development, agencies that use DevOps will have to repeat long development cycles by putting security in place at the end of the process. 

“In part, DevSecOps highlights the need to invite security teams at the outset of DevOps initiatives to build in information security and set a plan for security automation,” Red Hat adds. “It also underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback, and insights on known threats. It’s possible this can include new security training for developers too, since it hasn’t always been a focus in more traditional application development.”

According to FedScoop, Federal CIO Suzette Kent said at the Micro Focus Government Summit 2020 on March 10 that DevSecOps is a long-term priority for the government’s IT workforce. 

“Great concept, but at its core it’s talking about agility and getting the right people that own a part of the delivery life cycle together,” Kent said. “As we look into the next decade, we have to continue to do that with our mission and business teams, as well as the constituents that we’re serving.” 

MORE FROM FEDTECH: Find out how the USDA uses containers to build apps.

Adopting DevSecOps across government will not be easy or happen quickly, Ross notes, since most agencies have a CISO organization that has effectively walled off cybersecurity concerns from enterprise architecture and software development.

“If you do good software development, most of our security problems will go away because all of the nagging vulnerabilities that we see in software — a lot of those are attributed to people not using secure coding techniques and things we should be doing,” Ross said during a panel discussion at the summit, FedScoop reports. 

Agile software development places continuous testing and evaluation into the software development life cycle, producing a body of evidence agencies can use to make “credible, risk-based decisions in a very complicated systems environment,” Ross said.

“In the end, DevSecOps is bigger than any singular technology, whether that be containers, Kubernetes or even the application platforms workloads run on,” Adam Clater, the chief architect of Red Hat’s North America public sector organization, writes in FedTech. “The reality is that DevSecOps focuses on delivering results quickly and embracing cross-team communication. A big part of that equation is building trust through the organization by using tools in the [continuous integration/continuous delivery] pipeline to validate the suitability of code for production environments.”

AzmanL/Getty Images