What Is DevSecOps, and How Can It Benefit Federal Agencies?

Why DevSecOps Practices Are Important in Government

If software development can be viewed on a timeline, left to right, where the planning phases are on the left side of the timeline and production phases are on the right, DevSecOps aims to shift security “left,” or earlier into the planning process. That helps catch security issues or flaws sooner.

“If we wait until we get into production phases and we’re ready to go live on a product, and then we go to security and we find a problem, now all of a sudden, we’ve got to walk that whole process back to the beginning to be able to address those security risks,” Jepson said.

“So, if we can architect for security at the beginning, the planning phases, if we can embed controls and visibility and tools into each phase of the software development life cycle, then ultimately what we get is higher quality products into production more quickly,” he added.

There are numerous benefits to DevSecOps, as NIST notes. They include:

• Reducing vulnerabilities, malicious code and other security issues in released software without inhibiting software production and releases
• Mitigating the potential impact of adversaries exploiting vulnerabilities throughout the application lifecycle
• Addressing the root causes of vulnerabilities to prevent security issues from continuously cropping up (this can be done through actions such as “strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms”)
• Reducing the friction between the development, operations and security teams to simultaneously support the velocity of the organization’s mission while using modern technologies

Nicolas Chaillan, the Air Force’s chief software officer, says the Air Force’s Platform One software development program uses DevSecOps to quickly and successfully meet mission needs. However, it requires that government users continuously learn new skills.

DIVE DEEPER: How can agencies deploy modern applications more quickly?

“When you mix agile and DevSecOps into a single construct, which should be the only way to build software in 2021, that is the only way to compete with our competitors,” Chaillan tells Federal News Network. “The biggest gap we have is we don’t invest in our people and don’t do a good job with continuous learning. Most of the technology we are using at Platform One is less than three years old. So you have to learn multiple times a day and continuously do that.”

DevSecOps also enables agencies to securely accommodate remote workers, which became a paramount concern amid the pandemic. The National Geospatial-Intelligence Agency worked with Booz Allen Hamilton to enable “development in unclassified environments and deployment into classified environments using end-to-end cross-domain pipelines,” according to a white paper from the United States Geospatial Intelligence Foundation, a geospatial intelligence community nonprofit.

“They have rapidly developed new technology, leveraged uncleared developers who were previously unable to support NGA’s mission due to clearance requirements, and ensured the low-side and the high-side environments were mirror images by employing a modern DevSecOps approach,” the white paper notes.

“With these cross-domain environments already in place, some NGA users and analysts have experienced an easier transition as those environments were repurposed to accommodate working from home,” the white paper continues. “Analysts were able to sustain cross-domain development workflows, ensuring that model development and testing that occur in unclassified environments can be seamlessly transitioned to the classified space.”

MORE FROM FEDTECH: What are the most logical use cases for DevOps in government?

DevOps vs. DevSecOps: What Are the Main Differences?

DevOps and DevSecOps are closely related, in the sense that both are focused on a continuous integration/continuous delivery (CI/CD) pipeline. The model follows key stages: development, integration, quality assurance, user acceptance testing, staging, preproduction and, finally, production.

Both DevOps and DevSecOps are processes that are highly automated and dependent on a series of platforms called tool chains that help manage the workflow. DevSecOps adds in the security component to ensure security controls are put in place throughout the development lifecycle, and that security vulnerabilities are caught from the get-go.

“In a standard software development process, the team moves iteratively through a variety of stages, beginning with the design of software requirements,” writes Joey Barrett, CTO of the West Coast Region for IGNW, a CDW company, and Jeff Ridgeley, a principal consultant with CDW’s cybersecurity practice, in a CDW blog post. “The process continues through the development of code, the building and testing of executables, and the release to production — ultimately leading to the code being adopted as part of ongoing operations. The DevSecOps model seeks to add security feedback loops and checkpoints to each of those activities, rather than conducting security as a late-stage, separate review.”

Organizations that “consult with security teams in the design phase of new software development projects can anticipate the threats their code will face and design defenses against those threats as a core requirement of the software, rather than as a costly after-the-fact bolt-on solution,” Barrett and Ridgeley write.

DevSecOps teams, they add, “can build enforced automated security testing directly into the development pipeline.”

“When developers submit new code for review, an automated security test process is triggered that provides them with immediate feedback on potential flaws and required fixes,” they write. “This tight feedback loop not only improves the potential risks within the code but also allows developers to learn from their mistakes and build better code in the future.”

EXPLORE: How can your agency effectively implement DevOps?

Red Team vs. Blue Team Security

In addition to employing DevSecOps, another approach agencies can take to bolster their cybersecurity defenses is to conduct red team and blue team cybersecurity exercises.

As security firm CrowdStrike notes in a blog post, in a red team exercise, the red team acts as an adversary, “attempting to identify and exploit potential weaknesses” within the organization’s defenses by using “sophisticated attack techniques.”

A red team is often composed of “highly experienced security professionals or independent ethical hackers who focus on penetration testing by imitating real-world attack techniques and methods.”

“The red team gains initial access usually through the theft of user credentials or social engineering techniques,” CrowdStrike notes. “Once inside the network, the red team elevates its privileges and moves laterally across systems with the goal of progressing as deeply as possible into the network, exfiltrating data while avoiding detection.”

The blue team’s goal is to focus on cybersecurity defense. “Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats,” CrowdStrike states. “The IT security team is then responsible for maintaining the internal network against various types of risk. While many organizations consider prevention the gold standard of security, detection and remediation are equally important to overall defense capabilities.”