DevSecOps helps military service branches and the Department of Homeland Security (DHS) secure software applications against software vulnerabilities like Log4j, but prioritization is still a challenge as software development ramps up.
Approaching software development from a security-first mindset can be a difficult culture transition for some teams. A helpful tool for the Army Software Factory is the Army's DevSecOps playbook.
Hannah Hunt, chief product and innovation officer at the Army Software Factory, said the factory recently launched its fifth application.
“The process itself is that we have security advocates whose sole job is to enable the success of the application teams to understand what security controls they need to maintain in order to go to production,” Hunt said during the ATARC Securing Modern Application with DevSecOps event this week. “There’s a very tight feedback loop with security. They are developers with a security mindset so they know what needs to be built in order to be secure.”
Matthew Huston, CISO for Platform One under the Air Force, said upskilling and empowering workers to handle modern software challenges helps position the Air Force with a stronger DevSecOps posture.
“As we’ve really been taking this DevSecOps movement the last five years, we have pulled up people from just coming in being basic engineers that had tremendous talent and then put them in key leadership positions to really help further along our efforts,” Huston said. “We are also working with the DOD CIO office to establish different policies that we can push out and get the policies rewritten so they can support modern development.”
DevSecOps has changed the way agencies develop security strategies.
United States Citizenship and Immigration Services (USCIS) approached DevSecOps from several different angles. First, the agency developed specialized information security officers embedded in their development teams. These leaders were required to have backgrounds in coding and cloud plus accreditations in these areas.
Shane Barney, USCIS CISO, said the agency also gave development teams the ability to initiate things on their own and empowered them to deploy.
“We had to modernize our overall approach to cybersecurity, and we needed to stop focusing on known risks and automate those out of the way and start refocusing back on things we don’t know about, like SolarWinds, Log4j — because that’s where the 'gotchas' were going to come from and that’s where we were going to hurt,” he said during the ATARC event.
Leadership buy-in can make or break DevSecOps implementation plans. At the Air Force, consistent communication between software development and security teams and upper leadership is key.
“Getting leadership that understands what’s coming through, the security people understanding the developers, but then also the developers understanding what the security controls are and that way they can actually provide meaningful mitigations and I think that’s huge,” Huston said.
Zero trust principles also play an important role in DevSecOps implementation.
Ian Anderson, lead DevSecOps engineer of secure cloud architecture and automation at the Navy, said federal agencies should think about zero trust from the perspective of the end user.
“What does it need to do, does it need to read a file or does it need the more elevated admin privileges? It’s not just, 'let’s implement this and everyone gets a key and it will authenticate,'” Anderson said. “You really have to look at it down to the permissions that these things need, so that way if something is compromised, you’re not giving away the whole network.”
The Army and the Air Force believe prioritization will be a major challenge they will both face in 2022.
“Radical prioritization is always a challenge,” Hunt said. “There are many fun and interesting things to do in the DevSecOps space, and you have to make sure your teams are not overwhelmed and can prioritize the workloads that will meet the users they intend to meet.”
Part of the prioritization challenge is sifting through emerging technologies and DevSecOps methods to identify ones that serve the mission.
“Prioritization is huge,” Huston said. “There are also still gaps that we’re looking to fill. We have developed many [continuous improvement] environments that are far superior to what our legacy processes were, but I think there is still more to come. I would love to see more chaos engineering and how we can automate that, more performance testing that we can embed in our different pipelines and help close the gap on some of the other feature sets that are great practices when it comes to software development.”