Date: On demand
Duration: 1 hour

Leading agencies are developing ways to measure secure software development and build out DevSecOps competency across the federal government, spurred on by a torrent of software security efforts called for in a White House directive.

Many agencies have developed their own DevSecOps programs in recent years, but the May 2021 cybersecurity executive order directed the entire federal government to adopt secure software development practices.

Earlier this year, the National Institute of Standards and Technology published a secure software development framework to help guide agency efforts. The White House Office of Management and Budget is also developing implementation guidance for the procurement of secure software.

The Cybersecurity and Infrastructure Security Agency is now working with OMB and NIST to develop a “whole-of-government” way to measure secure software development, according to Steve Pruskowski, the security test and evaluation federal lead at CISA.

“It’s still a work in progress, because there’s a lot of data, historical data that’s not standardized,” Pruskowski said during a July 12 panel discussion on Federal News Network. “What do we use for tooling? What do we use for measurements? What is progress, and how do we define that? So you’re kind of starting from zero in some aspects and other aspects, you’re trying to pull together historical data and make sense of it.”

Pruskowski is also working with his team and counterparts across the Department of Homeland Security to establish a community of practice specifically for application security testing. The community should help teams across the many DHS components share knowledge and best practices.

“One program may have more capabilities in that area where another program may not and how can we leverage those resources, so we can all benefit from the collective knowledge of the department,” Pruskowski said.

Angel Phaneuf, chief information security officer at the Army Software Factory, says many organizations across government are facing the challenge of introducing agile software methodologies into well-established program management practices.

“People already have the way they do project management,” Phaneuf said. “Now you have to teach them agile, those feedback loops are critical. And if you’ve never been taught how to take feedback or give feedback, it can feel very aggressive.”

At the Army Software Factory, officials have the advantage of being able to retrain soldiers in cohorts for four months at a time across different technology competencies, Phaneuf said.

The soldiers then go through a tech accelerator “boot camp” to test and further develop their skills, before they graduate to a soldier-led team that’s paired with contractors and technology experts. Eventually, the soldiers are able to work without experts.

“A big part reason why we do this and we have that is so that we can deploy our soldiers downrange, and they can do everything from platform engineering, software development, UX design and build an application on the battlefield for the warfighter,” Phaneuf said.

Log4J lessons learned

The Software Factory’s extensive training paid off last December when news of a critical vulnerability in the popular Apache Log4j logging utility sent the cybersecurity world scrambling. Phaneuf says the factory was able to resolve instances of Log4j across its network in less than 24 hours.

A major factor in that success was good communication, she said.

“The minute it started hitting the internet, the rumblings, before a [Common Vulnerabilities and Exposure] number was ever issued, we were already tracking it,” Phaneuf said. “I had soldiers sending me the messages. It came from developers, project managers, a UX designer that had all come from cyber backgrounds or had worked in cyber previously. So we were tracking it right from the get-go.”

Another key factor the Software Factory’s already well-established DevSecOps processes where deploying fixes, patches and updates to applications is commonplace.

“Make sure that your developers know how to push and make sure it’s something that you do very frequently, because that will be your key when you have to get something out the door immediately,” Phaneuf said. “It feels like muscle memory for our developers. They were able to just continue to do what they always do, and get that push because it was something that they do all the time.”

A public-private Cyber Safety Review Board is now compiling a report on lessons learned from the Log4j vulnerability. Peter Chestna, chief information security officer for North America at Checkmarx, says organizations can learn a lot about their software security maturity by taking a hard look at how they respond to incidents like Log4j.

“If you think about measuring your own maturity, take a look at how things start and how things end, and where these run books come from and these playbooks, because if they are coming from developers, that means your developers are hyper aware and ready to go,” Chestna said.

Join this session to learn:

• How to build collaboration between app dev and security
• Best practices from civilian agencies, DOD and commercial organizations
• How to enable better security outcomes with DevSecOps