Jun 02 2021

What Is DevSecOps, and How Can It Benefit Federal Agencies?

DevSecOps can help agencies spot security vulnerabilities early in their software development lifecycles.

Cybersecurity is as vital an issue as ever for federal agencies, especially following President Joe Biden’s recent signing of an executive order on the topic, which pushes agencies to bolster IT security defenses on several fronts.

One way that agencies can enhance the security of their applications and systems is through the adoption of a methodology called DevSecOps, a cousin to a similar approach, DevOps. With DevSecOps, security is baked into the software and service development of an agency from the start, and security teams work hand in glove with software developers and operations teams.

DevSecOps as a practice has taken off in the private sector, but it’s just starting to be deployed in the federal government, with the Defense Department and military service branches taking the lead.

Kyle Jepson, a senior field solution architect for DevOps with CDW, notes in a recent podcast that high-performing organizations have a core tenet of bringing security earlier into the planning process of software and services. “We definitely know from research that high-performing organizations have to consider security earlier on in the software development lifecycle,” he said.

LISTEN IN: Find out how to simplify DevOps for your organization in this CDW podcast.

What Is DevSecOps?

DevSecOps integrates security into DevOps, an operational model in which operations and development engineers partner throughout the entire software or service lifecycle, from design to development to production support. DevSecOps layers in security experts to work with operations and development teams to ensure that security is considered from the start.

The General Services Administration defines DevSecOps as a “cultural and engineering practice that breaks down barriers and opens collaboration between development, security, and operations organizations using automation to focus on rapid, frequent delivery of secure infrastructure and software to production.”

DevSecOps, according to the GSA, “encompasses intake to release of software and manages those flows predictably, transparently, and with minimal human intervention/effort.”

As the National Institute of Standards and Technology notes, the goal of DevOps is to bring together software development and operations to “shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices.”

DevSecOps ensures that security is addressed in all aspects of DevOps, NIST states, “by integrating security practices and automatically generating security and compliance artifacts throughout the process.”

Why DevSecOps Practices Are Important in Government

If software development can be viewed on a timeline, left to right, where the planning phases are on the left side of the timeline and production phases are on the right, DevSecOps aims to shift security “left,” or earlier into the planning process. That helps catch security issues or flaws sooner.

“If we wait until we get into production phases and we’re ready to go live on a product, and then we go to security and we find a problem, now all of a sudden, we’ve got to walk that whole process back to the beginning to be able to address those security risks,” Jepson said.

“So, if we can architect for security at the beginning, the planning phases, if we can embed controls and visibility and tools into each phase of the software development life cycle, then ultimately what we get is higher quality products into production more quickly,” he added.

There are numerous benefits to DevSecOps, as NIST notes. They include:

  • Reducing vulnerabilities, malicious code and other security issues in released software without inhibiting software production and releases
  • Mitigating the potential impact of adversaries exploiting vulnerabilities throughout the application lifecycle
  • Addressing the root causes of vulnerabilities to prevent security issues from continuously cropping up (this can be done through actions such as “strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms”)
  • Reducing the friction between the development, operations and security teams to simultaneously support the velocity of the organization’s mission while using modern technologies

Nicolas Chaillan, the Air Force’s chief software officer, says the Air Force’s Platform One software development program uses DevSecOps to quickly and successfully meet mission needs. However, it requires that government users continuously learn new skills.

DIVE DEEPER: How can agencies deploy modern applications more quickly?

“When you mix agile and DevSecOps into a single construct, which should be the only way to build software in 2021, that is the only way to compete with our competitors,” Chaillan tells Federal News Network. “The biggest gap we have is we don’t invest in our people and don’t do a good job with continuous learning. Most of the technology we are using at Platform One is less than three years old. So you have to learn multiple times a day and continuously do that.”

DevSecOps also enables agencies to securely accommodate remote workers, which became a paramount concern amid the pandemic. The National Geospatial-Intelligence Agency worked with Booz Allen Hamilton to enable “development in unclassified environments and deployment into classified environments using end-to-end cross-domain pipelines,” according to a white paper from the United States Geospatial Intelligence Foundation, a geospatial intelligence community nonprofit.

“They have rapidly developed new technology, leveraged uncleared developers who were previously unable to support NGA’s mission due to clearance requirements, and ensured the low-side and the high-side environments were mirror images by employing a modern DevSecOps approach,” the white paper notes.

“With these cross-domain environments already in place, some NGA users and analysts have experienced an easier transition as those environments were repurposed to accommodate working from home,” the white paper continues. “Analysts were able to sustain cross-domain development workflows, ensuring that model development and testing that occur in unclassified environments can be seamlessly transitioned to the classified space.”

MORE FROM FEDTECH: What are the most logical use cases for DevOps in government?

DevOps vs. DevSecOps: What Are the Main Differences?

DevOps and DevSecOps are closely related, in the sense that both are focused on a continuous integration/continuous delivery (CI/CD) pipeline. The model follows key stages: development, integration, quality assurance, user acceptance testing, staging, preproduction and, finally, production.

Both DevOps and DevSecOps are processes that are highly automated and dependent on a series of platforms called tool chains that help manage the workflow. DevSecOps adds in the security component to ensure security controls are put in place throughout the development lifecycle, and that security vulnerabilities are caught from the get-go.

Kyle Jepson
We definitely know from research that high-performing organizations have to consider security earlier on in the software development lifecycle.”

Kyle Jepson Senior Field Solution Architect for DevOps, CDW

“In a standard software development process, the team moves iteratively through a variety of stages, beginning with the design of software requirements,” writes Joey Barrett, CTO of the West Coast Region for IGNW, a CDW company, and Jeff Ridgeley, a principal consultant with CDW’s cybersecurity practice, in a CDW blog post. “The process continues through the development of code, the building and testing of executables, and the release to production — ultimately leading to the code being adopted as part of ongoing operations. The DevSecOps model seeks to add security feedback loops and checkpoints to each of those activities, rather than conducting security as a late-stage, separate review.”

Organizations that “consult with security teams in the design phase of new software development projects can anticipate the threats their code will face and design defenses against those threats as a core requirement of the software, rather than as a costly after-the-fact bolt-on solution,” Barrett and Ridgeley write.

DevSecOps teams, they add, “can build enforced automated security testing directly into the development pipeline.”

“When developers submit new code for review, an automated security test process is triggered that provides them with immediate feedback on potential flaws and required fixes,” they write. “This tight feedback loop not only improves the potential risks within the code but also allows developers to learn from their mistakes and build better code in the future.”

EXPLORE: How can your agency effectively implement DevOps?

Red Team vs. Blue Team Security

In addition to employing DevSecOps, another approach agencies can take to bolster their cybersecurity defenses is to conduct red team and blue team cybersecurity exercises.

As security firm CrowdStrike notes in a blog post, in a red team exercise, the red team acts as an adversary, “attempting to identify and exploit potential weaknesses” within the organization’s defenses by using “sophisticated attack techniques.”

A red team is often composed of “highly experienced security professionals or independent ethical hackers who focus on penetration testing by imitating real-world attack techniques and methods.”

“The red team gains initial access usually through the theft of user credentials or social engineering techniques,” CrowdStrike notes. “Once inside the network, the red team elevates its privileges and moves laterally across systems with the goal of progressing as deeply as possible into the network, exfiltrating data while avoiding detection.”

The blue team’s goal is to focus on cybersecurity defense. “Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats,” CrowdStrike states. “The IT security team is then responsible for maintaining the internal network against various types of risk. While many organizations consider prevention the gold standard of security, detection and remediation are equally important to overall defense capabilities.”

skynesher/Getty Images