Supporting an application only after its release isn’t enough to keep it secure. Security must be top of mind throughout an application’s development. That is core to the model of DevSecOps. And it’s also an important principle for federal agencies to bear in mind when making acquisition decisions, said Greg Touhill, a former federal chief information security officer.
“In the past, we’ve seen security relegated as an add on by the requirements team and the folks who are doing acquisition” Touhill said during an interview for Federal Monthly Insights – Securing Containerized Applications. “Security was never articulated upfront as a requirement in most government organizations. Ever since, we’ve seen some very active activities involving nation state actors, as well as organized criminal groups, targeting government systems in particular.”
Trends in the space have moved to more and more customers wanting security to be a major consideration throughout the development process. This has led to changes in how developers build applications.
“We’re seeing folks saying, ‘Hey, we need to be incorporating security in our software acquisition, as well as development.’ So, there’s a great deal of emphasis now on including security upfront as a requirement. And as a result, I think that folks who are incorporating DevSecOps as part of their software development process are discovering that independent of the platforms that are out there, you’re getting a better product that’s going to require less maintenance, because it in fact has a disciplined engineering process behind the development of the code,” said Touhill, who is now director of the CERT division at Carnegie Mellon University’s Software Engineering Institute. “It’s less art than science. And in the past, we would just basically have folks do a lot of artistic work in software, but without the engineering rigor. Now we’ve got the engineering in place with DevSecOps.”
Containerization is an important part of the security piece when developing applications. Touhill said that containerization done correctly can make the system more mature and lower costs while accelerating operational capabilities. He said that by spinning up a virtual machine and setting up containers to run certain processes, when they are no longer needed, the administrator can take it apart electronically, saving time and money by negating the need to buy a big new computer.
“It’s very exciting. And the fact of the matter is, is we see more and more folks investing in the security of containerization and the applications that are running within them,” Touhill said.
Touhill said that complexity is antithetical to security, meaning that systems should be simple to use for the intended user.
“When it comes to implementing these technologies, we want the complexity to be put on the back of the folks who are trying to attack us, not on the folks that are trying to leverage the technologies,” Touhill said.
Containerization, according to Touhill, helps accomplish that simplicity goal by improving the user experience. But he also said that there is a lot of progress to be made at improving that user experience.
“As you take a look at the complexity and the impacts of complexity, I think we still have a ways to go,” Touhill said. “Because there is a measure of complexity, particularly with trying to interface and bind together all the different types of technologies and different products, you almost get if you are going to pick a container, you only can pick one without having some unique interface issues if you were using multiple containers simultaneously. And you still can use multiple types of container technologies. It just increases the degree of difficulty for the operators that are trying to get things done”
Today, Touhill and his team are looking to continue innovating in the realm of DevSecOps.
“It was one of our teams, taking a look at the firmware on a chip that’s out there, being able to detect whether the firmware on the chip has been altered or corrupted in the manufacturing or distribution process,” Touhill said. “So, we’re going below ring zero and onto the chip level, we’re also doing some really interesting research taking a look beyond just enterprise IT as more and more connectivity occurs. Enterprise IT is not the sole definition of your cyber ecosystem, because you’ve got industrial control systems, operational technology, Internet of Things, and spectrum-enabled devices like your cell phones and mobile devices.”