Why DevSecOps Practices Are Important in Government
If software development can be viewed on a timeline, left to right, where the planning phases are on the left side of the timeline and production phases are on the right, DevSecOps aims to shift security “left,” or earlier into the planning process. That helps catch security issues or flaws sooner.
“If we wait until we get into production phases and we’re ready to go live on a product, and then we go to security and we find a problem, now all of a sudden, we’ve got to walk that whole process back to the beginning to be able to address those security risks,” Jepson said.
“So, if we can architect for security at the beginning, the planning phases, if we can embed controls and visibility and tools into each phase of the software development life cycle, then ultimately what we get is higher quality products into production more quickly,” he added.
There are numerous benefits to DevSecOps, as NIST notes. They include:
- Reducing vulnerabilities, malicious code and other security issues in released software without inhibiting software production and releases
- Mitigating the potential impact of adversaries exploiting vulnerabilities throughout the application lifecycle
- Addressing the root causes of vulnerabilities to prevent security issues from continuously cropping up (this can be done through actions such as “strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms”)
- Reducing the friction between the development, operations and security teams to simultaneously support the velocity of the organization’s mission while using modern technologies
Nicolas Chaillan, the Air Force’s chief software officer, says the Air Force’s Platform One software development program uses DevSecOps to quickly and successfully meet mission needs. However, it requires that government users continuously learn new skills.
“When you mix agile and DevSecOps into a single construct, which should be the only way to build software in 2021, that is the only way to compete with our competitors,” Chaillan tells Federal News Network. “The biggest gap we have is we don’t invest in our people and don’t do a good job with continuous learning. Most of the technology we are using at Platform One is less than three years old. So you have to learn multiple times a day and continuously do that.”
DevSecOps also enables agencies to securely accommodate remote workers, which became a paramount concern amid the pandemic. The National Geospatial-Intelligence Agency worked with Booz Allen Hamilton to enable “development in unclassified environments and deployment into classified environments using end-to-end cross-domain pipelines,” according to a white paper from the United States Geospatial Intelligence Foundation, a geospatial intelligence community nonprofit.
“They have rapidly developed new technology, leveraged uncleared developers who were previously unable to support NGA’s mission due to clearance requirements, and ensured the low-side and the high-side environments were mirror images by employing a modern DevSecOps approach,” the white paper notes.
“With these cross-domain environments already in place, some NGA users and analysts have experienced an easier transition as those environments were repurposed to accommodate working from home,” the white paper continues. “Analysts were able to sustain cross-domain development workflows, ensuring that model development and testing that occur in unclassified environments can be seamlessly transitioned to the classified space.”
DevOps vs. DevSecOps: What Are the Main Differences?
DevOps and DevSecOps are closely related, in the sense that both are focused on a continuous integration/continuous delivery (CI/CD) pipeline. The model follows key stages: development, integration, quality assurance, user acceptance testing, staging, preproduction and, finally, production.
Both DevOps and DevSecOps are processes that are highly automated and dependent on a series of platforms called tool chains that help manage the workflow. DevSecOps adds in the security component to ensure security controls are put in place throughout the development lifecycle, and that security vulnerabilities are caught from the get-go.