NASA runs on software, as do many federal agencies. Rockets are what they are known for, sure, but controlling them and interpreting data, even handling human resources and finances all require software. Currently, NASA is in development of over 1,000 software features leveraging agile.
“We’ve been on a journey to embrace the the agile mindset. And as part of this journey, we have adopted that Scaled Agile Framework for Lean Enterprises or SAFe as part of the software system development lifecycle, SDLC,” said Shenandoah Speers, NASA’s director of application and platform services in the office of the CIO for Federal Monthly Insights – Securing Containerized Applications. “And SAFe has really helped us align our strategy to execution, providing a mechanism to visualize the workload that we have, prioritize that workload and a backlog, understand the capacity of our teams to consume that workload, and then be able to deliver value incrementally, and also provides us a way to get fast feedback from our stakeholders and our business partners through system demos, and program increment planning events.”
Speers also said that his team has created a DevSecOps pipeline platform that allows them to do on-demand continuous integration and continuous deployment utilizing containerization to automate the build security, scanning and deployment process.
Cybersecurity is also important to NASA. And a lot has changed in that area over the last decade to make sure that cybersecurity is part of what Speers’ team releases.
“We’ve kind of shifted our cybersecurity to the left … where we try to automate the security scanning at the beginning of the software development, and allows our software developers to get a better understanding of those security vulnerabilities ahead of time,” Speers said on Federal Drive with Tom Temin. “And so we’ve done that; all of our code and the associate configuration of the code is stored in through Git repositories. And they include built in triggers to build the process, as well as to do static application security testing, and an auto deployment of the image and through a development environment … [O]nce the developer is ready, these images are then submitted through the deployment phase of the pipeline, and then go through the dynamic application security testing. And that’s performed, as well as auto deployment in through our staging environment. And then once all of that is successful, it is finished, it’s deployed to a production environment.”
As automation becomes more and more prevalent in software development, NASA still wants to have humans involved in some cases.
“We also support human in the loop. So as we go through this pipeline that we’ve developed, some of our stakeholders still want humans to be in that loop, right. And so we do support human in the loop, as well as the fully automated deployment of the pipeline,” Speers said.
Like automation, open source is also prevalent. A concern some share is that open source software can be insecure. But Speers said the opposite is true.
“One good thing about open source is typically it is very secured, right, because you’ve got multiple people reviewing it and looking at it,” he said. “And so we do utilize that open source, and we ensure that the open source is secured itself.”
Finally, NASA has a long, storied history, meaning that there is some legacy code that needs to be taken care of.
“NASA has been around for a long time, right? So we do have quite a bit legacy code on older platforms,” Speers said. “And we are in that process of doing what they call application rationalization, right? Where you rationalize these applications, and to take care of the technical debt within that. And one of that is these containerization is to be able to convert it to run on these platforms.”