In some ways, software development in federal agencies has entered a second generation. The waterfall methodology, preceded by a long list of detailed requirements, is rapidly giving way to the agile method. Supported by U.S. Digital Service and the General Services Administration’s 18F group, agency CIOs and program managers are looking for frequent roll-outs of proven pieces of functionality that are bug free and meet user needs.
DevOps overlays agile development. It brings a factory quality to application development by automating many of the software lifecycle functions. DevOps frees developers, testers, quality control people and process owners from a series of tasks leading to authority to operate. Even ATO itself can be automated with the right DevOps approach.
So the current mode of development looks something like this:
Idea for an application
Develop it using contemporary methodologies
Deliver software people will use
Add security to ensure it is cyber safe.
Early cycle cyber
Why wait until after software is deployed to add in cybersecurity? Given the gigantic shadow cybersecurity concerns cast over federal IT, it may be an exaggeration to say CIOs regularly oversee deployment of unsecured software. In fact, at conference after conference, federal IT people urge their peers to get with a program of building security inherently into software.
The more common scenario involves checking for cyber before greenlighting software for authority to operate. But even this order of events is less than ideal because it can potentially delay deployment or integration of software components.
A better approach to ensuring cybersecurity in new applications moves cyber-coding back in the development operations. The emerging term augments DevOps with another syllable to produce DevSecOps. More than wordplay, DevSecOps implies a way of thinking. It values the addition of cybersecurity coding and testing as part of a DevOps operation, subject to the same automation as the other development steps.
Moreover, DevSecOps gives technical teams a platform for security functions that can be reused, plugging them into scrum modules as they’re produced. Because cyber is inherent, the automation platform controlling the DevOps, or DevSecOps, gives managers greater visibility into code security than if security is added later.
Another benefit is that by “shifting cybersecurity left” to earlier stages of development, cyber becomes a less expensive proposition than adding and testing after initial release. Putting the “Sec” in DevOps means security is integral to the faster and more reliable release schedule, rather than a serial process slowing it down.
DevSecOps cuts costs
A DevSecOps approach engenders greater reuse of software, including security functions. Many development organizations incorporate containerization of specific, or micro, services into their DevOps. This allows the inclusion of security functions such as privileged access controls or two-factor authentication routines during application coding. They don’t need to be re-developed for each application.
When developing other functions, a product like CA Veracode can help agency IT shops take their DevOps to the DecSevOps level. This security scanning platform verifies code according to the organization’s security requirements as code is developed and tested. It works across a wide spectrum of development languages, and it can give added assurance when using open sourced components.
Such a tool also fits into the DevSecOps model in that it generates reports useful from the developer level to the program management suite. Those who end up answering GAO reports or testifying to congressional overseers can speak with confidence about their FISMA compliance and their actual state of cybersecurity.
Agencies in the DevSecOps mode continuously develop and integrate new applications. They don’t pass finished code over to security, but rather work security early into the development process. Issues are flagged and corrected before compiling and deployment. Investment to put the “Sec” in DevSecOps now, ultimately helps avoid the kinds of breaches later that no agency can afford.