The Benefits of DevSecOps in Government
As Red Hat notes, DevSecOps is about “built-in security, not security that functions as a perimeter around apps and data.” If security is not integrated at the front of software development, agencies that use DevOps will have to repeat long development cycles by putting security in place at the end of the process.
“In part, DevSecOps highlights the need to invite security teams at the outset of DevOps initiatives to build in information security and set a plan for security automation,” Red Hat adds. “It also underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback, and insights on known threats. It’s possible this can include new security training for developers too, since it hasn’t always been a focus in more traditional application development.”
According to FedScoop, Federal CIO Suzette Kent said at the Micro Focus Government Summit 2020 on March 10 that DevSecOps is a long-term priority for the government’s IT workforce.
“Great concept, but at its core it’s talking about agility and getting the right people that own a part of the delivery life cycle together,” Kent said. “As we look into the next decade, we have to continue to do that with our mission and business teams, as well as the constituents that we’re serving.”
MORE FROM FEDTECH: Find out how the USDA uses containers to build apps.
Adopting DevSecOps across government will not be easy or happen quickly, Ross notes, since most agencies have a CISO organization that has effectively walled off cybersecurity concerns from enterprise architecture and software development.
“If you do good software development, most of our security problems will go away because all of the nagging vulnerabilities that we see in software — a lot of those are attributed to people not using secure coding techniques and things we should be doing,” Ross said during a panel discussion at the summit, FedScoop reports.
Agile software development places continuous testing and evaluation into the software development life cycle, producing a body of evidence agencies can use to make “credible, risk-based decisions in a very complicated systems environment,” Ross said.
“In the end, DevSecOps is bigger than any singular technology, whether that be containers, Kubernetes or even the application platforms workloads run on,” Adam Clater, the chief architect of Red Hat’s North America public sector organization, writes in FedTech. “The reality is that DevSecOps focuses on delivering results quickly and embracing cross-team communication. A big part of that equation is building trust through the organization by using tools in the [continuous integration/continuous delivery] pipeline to validate the suitability of code for production environments.”