Why CISA Is Adopting Automation
At the Cybersecurity and Infrastructure Security Agency, one of the top benefits of DevSecOps has been a significant reduction in revisions, says Eugene Heim, a chief engineer in the agency’s cybersecurity division.
“Before we moved to a DevSecOps approach, it used to take a considerable amount of time for teams to go through the process of validating the security for any given product before we could promote it to production,” Heim says.
“Without fail, the process of navigating through those security gates caused significant friction, delay and frequent revisions to address any gaps or vulnerabilities that had made their way through the development pipeline,” he adds. “Sometimes, the validation process would last about as long as the development process for new features. By delivering in smaller batches, with constant security visibility for the application as it’s being developed, we’re in a much better place to deliver quickly.”
Heim says that CISA is taking an organizationwide approach in shifting to DevSecOps, adopting tools that offer automation, orchestration and containerization capabilities.
Ongoing training has been important in cementing the cultural change required for DevSecOps, but Heim says that automation tools also help reinforce this cultural shift.
“The automated processes take the human out of the loop,” he says. “If you attempt to deploy code, it must go through the requisite checks before it can be released. That automated process becomes our gatekeeper, rather than having to make sure that a person remembers to follow the process.”
As a result of these integrated, automated processes, Heim says, “the feedback loop is much faster,” allowing the agency to improve security while also speeding up deployment.
“Those are very powerful benefits,” he says.