The Federal Aviation Administration has more than 700 applications that support its mission, from human resources and finance to aircraft safety. It’s been working to leverage DevSecOps for those applications, though it hasn’t gotten to all of its legacy apps yet. Sean McIntyre, director of FAA’s Solution Delivery Service, said they have great portfolio insight due to following the Chief Information Officers Council’s application rationalization playbook. But there was initially some confusion about what it meant for an application to be on the DevSecOps tool chain.
“When I first came to the FAA in 2018, I was told that 80% of our legacy apps were on the DevSecOps tool chain, which sounded pretty great,” he said on Federal Monthly Insights – Securing Containerized Applications. “But when I dug deeper, it became clear that my teams thought that merely using our code repository qualified for being on the tool chain. And given that criteria, it wasn’t so great. So we adopted a very clear definition of what constitutes tool chain integration by turning to Heroku 12 factor app model. And we identified four minimum factors directly related to tool chain integration. And then we created a repeatable process we call ‘four factoring’ an app. And since then we’ve made a lot of progress applying DevSecOps, even to our legacy portfolio.”
This enables security governance to be built into the tool chain. The platform handles logging, monitoring and sending everything to the security operations center. It also performs automated vulnerability scans, because McIntyre said they want the platform to handle as much as possible, so the developers don’t have to worry about it.
McIntyre said many of FAA’s applications are in the cloud in legacy form; he said they’re primarily focused on refactoring them for containerization, but leaving them monolithic. That abstracts the business logic from the operating system, and makes the applications more mobile. He said the primary goal is to enable mobility between different hyperscale cloud environments, or even cloud and on premise. He wants applications to be able to go wherever they make sense.
Toward that end, FAA is building a container-specific DevSecOps pipeline so that the dev experience is the same, and the workloads can be moved wherever they’re needed.
“The challenge with containers is there’s really no place to put an endpoint detection and response agent on the container itself,” McIntyre told the Federal Drive with Tom Temin. “And so we’ve invested in tools that are able to scan, in real time in production, the containers while they’re running. So it is a special case with containers once it’s in production, because you’re not going to put something right on it.”
McIntyre said he’s primarily concerned about the supply chain of the containers FAA uses. If they accept a container image from somewhere else, they don’t always know what’s in it. FAA uses tools to ensure container images are only from trusted sources, and scans them constantly. That way they can inject code into clean, hardened containers rather than accepting complete packages that may be compromised.
“I’ve always said that the culture of an organization reflects its mission, and the FAA needs to be meticulous in their mission. And that’s the culture of the agency,” McIntyre said. “And a lot of times it seems like the FAA is slow to move forward. But it’s because they’re thinking about it, they want to make sure that the moves and decisions that they make are the right ones. But once they make them, they really get going on it.”
Daisy Thornton is Federal News Network’s digital managing editor. In addition to her editing responsibilities, she covers federal management, workforce and technology issues. She is also the commentary editor; email her your letters to the editor and pitches for contributed bylines.