DevSecOps is becoming more popular as multiple agencies are using this approach to help secure software applications, develop security strategies and protect their networks from cyberattacks.
What is DevSecOps?
DevSecOps stands for development, security and operations. It is an approach often used in software development that integrates security into all aspects of the system including culture, design and automation.
DevSecOps has become an integral strategy for agencies across government to include the departments of Defense and Homeland Security as they guard against software vulnerabilities like malware.
Hannah Hunt, chief product and innovation officer at Army Software Factory, said the factory recently launched its fifth application of DevSecOps.
“The process itself is that we have security advocates whose sole job is to enable the success of the application teams to understand what security controls they need to maintain in order to go to production,” Hunt said. “There’s a very tight feedback loop with security. They are developers with a security mindset so they know what needs to be built in order to be secure.”
Benefits of DevSecOps
The General Services Administration identifies the business benefits of DevSecOps "through improved operations, reduced re-work, increased quality through automated testing and monitoring, and projects / products delivered early and often with less cycle time to the customer or end-user."
GSA leaders identified the need for continuous integration and delivery as key elements of a DevSecOps culture. In order to achieve this, experts at GSA "encourage and support frequent code check-in, version control, sensible test automation, continuous low-risk releases and feedback, often through a number of electronic tools."
DevSecOps has helped the Air Force achieve a successful IT strategy. Their own DevSecOps initiative resulted in a 90% increase to its software delivery cycle.
“We started with a data science reference architecture that laid out all of the capabilities in a microservices format to do data science and AI projects, and our efforts in the cloud have been to simply make available to the DOD the tools industry takes for granted and combine those with DOD data sets where the ATO comes in, then enabling that for a wide variety of mission sets,” said Col. Charles Destefani, deputy chief data officer of the Air Force. “We are able to put capabilities out into the cloud within 30 to 45 days where it used to take 10 months to a year.”
United States Citizenship and Immigration Services CTO Rob Brown said even though his IT department implemented DevSecOps successfully there have still been several challenges.
“One of the largest challenges across the board … is really the skills, the training, ensuring folks are continuously improving in those various disciplines,” he said on the panel. “It's ongoing, and I can't stress enough that's probably the No. 1 challenge.”
The Department of the Navy believes DevSecOps plays a key role in better cybersecurity practices.
Rear Adm. Susan BryerJoyner, head of the Navy Cyber Security Division Director Office of the Chief of Naval Operations, said she’s focused on integrating cybersecurity into the Navy’s systems engineering to simplify operations.
But modernized techniques aren’t always sufficient. Sometimes you can find what you need in the data you already have, BryerJoyner said.
“The secret sauce is not in the data your tool is producing, it's in the way your tool handles the data,” she said.
DISA Director Lt. Gen. Robert Skinner believes the internal IT culture must shift from passive to active in order for federal agencies to successfully implement DevSecOps practices.
“So how do you retrain and hold people accountable for breaches of cyber rules and guidance you have out?" Skinner said. "The whole notion of, if you get an email that says ‘free’ on it, to hold back the temptation of clicking on it. I know that's hard, but the more we continue to innovate the more the culture will change.”
Which federal agencies are using DevSecOps approach?
DOD along with other federal agencies are starting to embrace emerging technologies and tools in DevSecOps. Below you can view additional details on how agencies are incorporating DevSecOps:
Department of Homeland Security:
Department of Health and Human Services: