Security

How DevSecOps Can Help Your Federal Agency Modernize

The practice is an ideal security solution to condense development lifecycles.

Michael Hickey is an Associate Editor at Manifest.

DevSecOps is a practice where security is baked into the software and service development of an agency from the beginning. Adopting such a practice takes time and effort, so is it worth it for federal agencies to undertake this task? With common government pain points in my mind, DevSecOps could be the smart way forward.

An IBM survey shows that governments identify security as the biggest reason to modernize their IT infrastructures. According to the same survey, nearly 70 percent of U.S. government IT decision-makers view security risks as the top barrier when migrating to modern cloud platforms. So, when federal agencies want to modernize and want to prioritize security while doing so, adopting DevSecOps accomplishes both.

A recent GitLab report highlights that DevSecOps helps agencies work through modernization challenges specific only to the public sector.

“Increased imperatives for security, compliance and legal regulations, as well as acquisition laws and policies, further complicate an already ambitious — and at times, painful — undertaking, requiring a thoughtful, balanced, strategic and tactical leadership approach,” the report states.

How can DevSecOps benefit agencies, and what best practices should agencies adhere to as they make the transition?

Click the banner to access customized security content when you register as an Insider.

DevSecOps Secures Modern IT Infrastructure

DevSecOps integrates cybersecurity practices at every step of the development lifecycle, from initial design and integration to deployment and software delivery. In a more traditional setup, security was integrated only at the end of the process. As Red Hat points out, this wasn’t a problem when development cycles lasted months or years. Yet, with DevOps implementation, development cycles have gone down to just weeks or even days, so keeping to the traditional way of doing things creates a bottleneck at the end of the process.

With DevSecOps, security issues are dealt with as they arise, keeping the development cycle moving. This approach saves money because security issues are addressed before they become major breaches later in the development cycle. Essentially, DevSecOps is a response to the current technological landscape and modernizes organizations by solving modern security threats.

In its DevSecOps guidance, IBM notes that DevSecOps is adaptable and lends itself to repeatable and adaptive processes. So, as organizations and their security postures mature, DevSecOps practices will keep up. This ensures security is applied consistently across the environment as the environment changes and adapts to new requirements.

DevSecOps Best Practices for Agencies

GitLab’s report urges agencies to take lessons from their commercial counterparts when it comes to DevSecOps adoption, particularly those in regulated industries with restraints comparable to those in government.

Adopting DevSecOps requires a shift in mindset, and GitLab argues that adoption requires as much a cultural change as an operational change. The idea behind DevSecOps is that security is a shared responsibility across all teams including development, security and IT operations. Collaboration between these teams is the key to bolstering agencies’ incident response, and everyone needs to buy in.

“Leaders must shift teams to fully adopting the culture of DevOps and embracing the spirit of continuous improvement, supported by the right technology. By realigning teams and their work — breaking down silos, eliminating handoffs and incorporating security into the development process — enterprises empower those teams to get the needed capabilities out the door quickly,” the report states.

On the operational side, engineers, operations teams and compliance teams need to work more closely than ever to ensure everyone understands the company’s security posture and follows the same standards. IBM points out that everyone involved with the delivery process should be familiar with the basic principles of application security and testing.

Kobus Louw/Getty Images