The Defense Department already has 29 software factories that are promoting the use of development, security and operations (DevSecOps) processes.
Two new memos from February aim to bring some additional standardization around the development of software and how the military services and defense agencies continually secure those applications.
The next piece to this digital transformation puzzle is use of containerization and microservices, said Mike Libutti, senior partner and vice president, defense industry leader, at IBM.
With DoD moving more into commercial cloud services and keeping on-premises data centers, the combination of DevSecOps, containers and microservices will give the military services and defense agencies the best path to remaining agile, being able to scale and keep data secure, Libutti said.
“Containers have certainly increased rapidly in the development space over the past couple of years. There are some key attributes and some key benefits that you’re deriving from the use of containers,” Libutti said during a discussion at Federal News Network’s second annual DoD Cloud Exchange.
“First is the creation, portability and flexibility of workloads that you can move across multiple clouds and on-premise data centers. I think that’s an important piece because a lot of offerings today are looking to spin up containers within a particular cloud,” he added. “But the reality is we’re going to live in this complex cyber landscape. So you’re really going to need containerization capability that’s going to sit across the entirety of the entire ecosystem.”
Containers make it easier to modernize legacy applications by leaning on the microservices approach, Libutti said.
“It really will set you up for the future, modernization aspects such as refactoring of those particular applications,” he said. The speed and flexibility of containers in the cloud is unparalleled especially as DoD’s needs are ever evolving.
Shared service model as launch point for containerization
Trista Colbert, senior partner and vice president for hybrid cloud services for the federal sector at IBM, said one way to kick start the move to containers is through a shared service model like the Air Force’s Platform One, the Army Software Factory or from a container as a service offering in industry.
“Basically it’s a capability that allows you to very quickly to deploy your applications using container technology and then get on with the build out and deployment processes that come after that,” Colbert said. “Then, ultimately, you get to a point where you’re really comfortable managing those new applications or existing and enhanced applications.”
Changing the way DoD manages and modernizes applications over the last five years has required a significant culture shift. The workforce continues to adjust to this new mindset. The acquisition process still must evolve to support iterative and agile development processes. And, of course, the owner of the mission must expand involvement in development efforts.
“The real power of employing that model has really been around being able to get your development team very closely aligned with the security team and the operations team,” Libutti said. “They are involved much earlier in the whole solution delivery lifecycle, so that’s why you want to be going after the DevSecOps model and then tying in the point around the containerization.”
The DevSecOps approach with containers and microservices also lets developers take advantage of DoD’s new continuous authority to operate (ATO) authority. The ATO memo from February allows for an IT security approvals process that acknowledges the realities of modern software development and cyberthreats.
DevSecOps helps agencies deal with current and emerging cyberthreats and reduces the ability of developers to create new vulnerabilities as they modernize applications, Libutti said.
“You’re going to need to really look at that shift left paradigm in DevSecOps when you are baking security in up front. You’ve got a situation now where you’ve got predefined gates where you’re actually testing your security posture at those stages,” he said. “Now you’re really relying on the data from those tests and plowing that back into the front end of the development process. So, in turn, you’re identifying these issues earlier and then you’re correcting them early, so that at the end of the day, you’ve got a more robust, more secure capability.”
The value of the ‘secure by design’ approach
Colbert said what all of this is leading to is the concept of “secure by design” services, which many experts say should be the future of software development.
DevSecOps, containerization and microservices will make it easier for DoD as they remain in the hybrid cloud posture for the foreseeable future, she said.
“Leaders are really focusing on ways to truly maximize the value of cloud and what it takes to be successful with hybrid cloud. I definitely believe that there are ways to leverage different ways of working, much more automation, using a managed services delivery model as a real way to deliver new technology,” Colbert said. “Then, optimize your applications and cloud models once you’ve deployed those technologies around two key points: cost and performance. Both are really important.”
To listen to and watch all the sessions from the 2022 Federal News Network DoD Cloud Exchange, go to the event page.