How DevSecOps helps agencies make small changes that add up
January 28, 2020 3:52 pm
4 min read
This content is provided by Presidio.
Retail websites like Amazon and popular mobile applications like Uber are constantly being updated with new features and changes. That’s changing the public’s expectations for digital applications and services, and federal agencies are left trying to keep up.
“That’s why they’re looking at transformative technologies such as cloud, DevOps platforms, containers, Kubernetes, those kinds of innovative technologies that are coming from industry,” Manny Evangelista, digital solutions architect at Presidio, said. “Those kinds of technologies are really transforming how the government delivers on their mission. Because when you extrapolate that to the Air Force, and you have fighter jets, what is the best way to constantly have air supremacy and air dominance? You have to have the most innovative up-to-date software when it comes to our foreign adversaries like China or Russia.”
Federal agencies can accomplish that by leveraging agile principles and best practices from industry, capturing principles through automation, and treating security as a first-class citizen. That means getting security involved in application development from the beginning, rather than handing them completed software and telling them to secure it.
“In the federal space, this means understanding what are going to be roadblocks down the line, traditionally with normal application development,” Brad Sollar, digital business development manager at Presidio, said. “DevSecOps methodology is also implementing automation and infrastructures code, so that when you do actually have vulnerabilities, as everyone will, you have the ability to understand what your environment is, and how to remediate it through automation.”
Implementing this at a federal agency often requires education, or even reeducation, because it’s so different from the legacy way of doing things. But the people who first get on board with DevSecOps are the ones who want to make a difference, Sollar said.
“The great thing about these changes is that they’re very iterative,” Evangelista said. “Small changes can make a big difference, and trying to find low hanging fruit, trying to be as efficient with time, finding better ways to automate security, those small changes all always add up to big changes. And those big changes could be transformative for an agency.”
For example, Evangelista said he used to work at the Department of Homeland Security. When DHS is trying to vet millions of people coming across the border each day to screen out the bad actors, milliseconds matter.
And the main way to save that time, again, is to get security involved from the beginning. Initially, agencies want security to have input on what’s known as a “golden image.” This could be a virtual machine, a container, or some other kind of package where everybody has agreed that it’s a secure, accredited, tested image. Then they can give that to developers as a baseline, and essentially provide guardrails for development going forward.
“When you can actually have these gold disk images as pre-accredited, pre-approved packages, it’s really going to cut down the time it takes for you to go through to get your accreditation packages done,” Sollar said. “So what this helps to do is now build from the secure foundation.”
These accreditations are usually based on the National Institutes of Standards and Technology’s 800 series, which are a series of technical controls everyone has to meet. But while traditionally, these controls have been met manually with a long spreadsheet process, they’re ripe targets for automation.
“You can now write scripts and new certain tooling that will automatically create those hardening fixes, which can also help you then generate documentation at the same time,” Sollar said. “There’s actually some open source products out there, like open control, that can help create documentation as well. And that’s really going to help to meet any agency specific authority to operate package that they have to meet.”
But technology in and of itself is not the point of DevSecOps. It’s about changing the people and processes to make better use of the technology, and deliver it faster. That’s why there’s no one set solution that works for every agency. Instead, Sollar said Presidio helps federal agencies come to grips with how it’s operating, what it needs, and helps it develop a plan to get there.
“We’re able to see what skill sets the customer already has, what some of their compliance regulations they have to abide by, whether they’re on-prem or in the cloud, a lot of the factors we can take in and then help build an optimal solution for them that isn’t going to become shelfware,” Sollar said.