Sponsored by Four Inc. and IBM

Platform One looks to enhance, build on software factory services

The Air Force’s Platform One is accelerating modern software development for the Defense Department.

The Air Force’s Platform One program has a well established role in bringing “DevSecOps” software development to the Defense Department.

Now the program is focusing on enhancing its existing services, while expanding its secure software development work into more sensitive data environments.

Platform One’s core offerings include “Iron Bank,” a secure repository of hardened container images. Maj. Matthew Jordan, chief of product for Platform One, describes Iron Bank as the “Lego bricks” needed to build modern software. That includes hardened applications, continuous monitoring, vulnerability scanning and regular updates.

“We ensure that we’re patched within our repository, and all of our downstream consumers are able to easily receive the cybersecurity benefits,” Jordan said on Federal News Network. “You’re getting a lot of economies of scale there.”

Iron Bank is primarily accredited for less sensitive unclassified information. But Jordan said Platform One is working to get Iron Bank accredited for controlled unclassified information (CUI) as well as for classified information.

That work is detailed in Platform One’s new product roadmap, which lays out the program’s plans for various offerings and services, including “Big Bang,” its continuous integration and continuous delivery/deployment (CI/CD) platform, and the “Party Bus” platform-as-a-service.

Platform One’s zero trust approach

Platform One also provides a “cloud native access point (CNAP),”  for accessing the software factory’s various services in a secure manner. Jordan said CNAP was “borne out of necessity” in the early days of Platform One, as it sought to work with software vendors, including nontraditional defense vendors, to establish its agile software development platform.

“How do you ensure that you’re still being secure and accessing things that may be coming from the Internet, or via contractor’s workplace or from their home as opposed to in a secure facility on a base?” Jordan explained. “So CNAP allows you to do the device compliance checks, so that you get a lot of attributes about the device itself, as well as understand who the user is, and get a lot of attributes on that user, and then make risk decisions as to ‘Okay, based on what we’re seeing today, you only get access to a certain subset of resources.’”

The capability allows each application owner behind the access point to “set their policies dynamically and make informed risk decisions, or accept the risk if they’re willing to, or mitigate the risk that they want to,” Jordan added.

CNAP is a key piece of Platform One’s zero trust security architecture, which also includes macro segmentation using a software-defined perimeter, Jordan said. Internally, Platform One also uses service meshes to ensure segmentation between individual applications, as well as continuous logging and monitoring.

“And that runtime security so that you can understand when something is going wrong or something’s attempting to do something that it shouldn’t, and then dive deeper for that root cause analysis,” Jordan said.

Platform One is also collaborating with other Air Force organizations on an application programming interface (API) reference architecture document. Jordan said that document is currently in draft.

“Data is king, and it’s crucial that we don’t allow data to just be put into a silo,” he said. “We need to be able to share that data. And API is definitely one way to enable that data flow. So we need to focus on providing those standards for application programming interfaces, software, development kits, data fabrics, all that kind of stuff to the developers. So they can quickly focus on developing features for their applications, as opposed to focusing on interfaces.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more