The Department of Defense is rethinking the way it approaches software and systems development in its technology programs using more flexible methods to streamline the process and improve cybersecurity from the start.
Since DOD’s traditional program development processes lack the speed and flexibility to keep up with rapid technological change or fast-paced modern adversaries, new methodologies are being considered. One approach that is gaining traction in many parts of DOD is Development, Security and Operations, or DevSecOps.
In its simplest form, the goal of DevSecOps is to empower every member of a security program with the goal of implementing security decisions and actions at the same scale and at the same speed as development and exploitation decisions and actions. DevSecOps differs from both the traditional Waterfall project delivery method approach for DOD programs, which focuses on product delivery, timelines and coordination of these activities, and modern Agile development methodologies.
DevSecOps versus agile development
Agile development methodologies that emphasize iterative development cycles and feedback to find and correct errors throughout the software creation process have become more common in federal government technology programs. “DevSecOps is often confused with another name for Agile development or an offshoot of it in the DOD community,” says Derek Strausbaugh, chief digital officer of Microsoft’s national security division.
“Although DevSecOps relies on certain principles of Agile development, such as continuous integration and delivery of software systems in cycles, its main goal early in the process is to integrate security features: Agile focuses only on software delivery, ”says Strausbaugh.
“You really take security and bring it to the same level as continuous integration and delivery. So it’s not just about Agile development, it’s actually about creating another strut for quality from the start and integrating your developers, security and operational functions into the lifecycle of the business. software development, ”he says.
In a typical Waterfall or Agile program scenario, a team of developers creates an application and then pushes it to another group to install security or other features. DevSecOps shifts security responsibilities to the left, allowing programs to run more efficiently and create greater organizational awareness when issues arise.
“DevSecOps also helps with software and technology development pipelines. This is important because it is possible for programmers to create code and deliver products without understanding the infrastructure behind it, ”says Zach Kramer, Azure Government Engineering Manager at Microsoft. He adds, “This can make it difficult to understand a project’s full security footprint, which is where Microsoft Azure and other cloud providers can help provide developers with a full picture. “
“This approach not only helps with the code and the underlying software infrastructure, but provides programmers with a standard set of telemetry and a top-to-bottom understanding of the platform they are working on,” Kramer explains. Another benefit of DevSecOps is that it shifts the program manager‘s perspective from verifying compliance or software compliance to a specification or audit to ensure that the code is written correctly and in compliance. safely and is deployed in a reproducible manner. This is important because it ensures that a project can provide continuous software delivery at scale.
“If I’m not sure my application is still secure between version 1 and version 2, then I have no chance of making continuous delivery,” says Strausbaugh. “With DevSecOps best practices in place, I make sure continuous integration checks take place for the right security areas to achieve continuous delivery. “
DOD applications and culture change
DevSecOps fits into the DOD modernization strategy to upgrade existing systems and integrate new capabilities such as machine learning or artificial intelligence into its mission. “From a military perspective, it’s about increasing speed, accelerating decision-making and operational efficiency rather than just providing software,” says Strausbaugh.
Core aspects of DevSecOps, such as delivering predictable software and ensuring that software is protected against cyber attacks, fit into the military vision for future multi-domain missions. “This is important because while a modern command and control system can be compromised by a cybersecurity vulnerability, that responsibility can undermine an entire military operation,” Strausbaugh said.
“At the end of the day, DevSecOps is about predictability and speed of delivery while ensuring security. As Agile development rapidly produces code that can be deployed in combat applications with repeatable frequency, it comes up against security and operational considerations such as 24 hour operations and cyber defense, ”Kramer explains.
“As a methodology, there are a variety of development container framework tools and products that organizations can use to help with DevSecOps applications. But it’s more about the methodology and approach to create a reliable, secure, and scalable runtime environment without having to be locked into some kind of single vendor, ”says Strausbaugh.
Previously, companies mitigated risk through complex layers of approvals and controls, which slowed down delivery in an effort to reduce risk. These processes still do not eliminate the risk but reassure those who approve production requests. Strausbaugh maintains that while DevSecOps may seem uncomfortable, having the best practice in place allows for better security posture and faster innovation and the ability to respond faster when the inevitable problem arises.
Organizations also need to change some aspect of their internal cultures to launch a DevSecOps program, as the methodology creates a new way of looking at stakeholders in a system.
Strausbaugh notes that Agile development involves the owners of the application or system integrated into the process. DevSecOps continues this evolution by bringing “the kind of people you absolutely need to have to the table, and including all the skills you need.”
DevSecOps requires teamwork as the goal is to create something to support the fighters and that requires both operational and security responsibilities. The methodology also requires a change in some of the skills of the developers, as they have to do a lot more than write good code.
“It requires comprehensive, keen developers to write secure code and code that doesn’t place an operational burden on the organization,” says Strausbaugh.
People working in this environment must also accept change as a constant in the development, delivery and maintenance of software. It requires a cultural shift to create a greater sense of individual responsibility, which makes the entire end-to-end process more critical to the bottom line, Kramer says.
Automation is the key
Automation is another important aspect of the DevSecOps process, especially when deploying software on a large scale in large DOD agencies or entire departments. But these large-scale, fast-paced operations often have problems caused by human error that typically occur in repetitive, maintenance, and safety assessment functions. The best way to avoid these common mistakes is to automate these processes.
“If I can get a set of functions to be repeatable and known, I reduce errors,” says Kramer. “This means my deployments should not be performed by a human following a script. They should be automated with infrastructure as code. If I update it, it should be done with the same infrastructure-as-code that did my deployment.
“This same approach applies to security. Instead of requiring someone to go through checklists of hundreds of controls, this is done automatically as part of the software development / procurement process. This transition to automating these core processes is at the heart of DevSecOps, ”says Kramer.
“Automation also frees up staff who would perform these manual tasks for other more stimulating and creative tasks. It also helps prevent employee burnout, as the automated processing built into DevSecOps helps manage maintenance and security operations by heart and allows operational cancellations if a problem is detected so that instead of leaving the developers working overnight to resolve a problem, it can be identified and addressed. with the next day, ”says Kramer.
Growing use in DOD
DevSecOps is starting to make inroads into DOD. Strausbaugh sees two areas where this is happening. The first concerns the large-scale “factory” -type software development programs currently underway in military technology centers to develop systems to support combatants.
The second area that encompasses DevSecOps relates to programs where a major challenge to the sustainability of project software systems has been found to be monolithic design processes that do not provide enough iterations or software updates at a sufficient frequency to detect the main security vulnerabilities. These systems are also too slow to stay ahead of new capabilities being developed by potential American adversaries.
Due to global competitive pressure, some of DOD’s largest intelligence, surveillance and reconnaissance (ISR) platforms and systems are considering DevSecOps as a way to redesign or move away from software systems developed some time ago. decades.
Another benefit is a new generation of young military and civilian DOD personnel who are comfortable with technology and using it in new ways. Strausbaugh notes that there has been a drastic change in DOD in terms of the migration and use of cloud-based services and also the adoption of modern software development techniques in many of the technology development centers of the world. army.
“They build a microservices architecture and consume cloud services and see the sales as a goal for how they should do things rather than getting locked into the improper term that the DOD has to do things a certain way. just because of history or security. “says Strausbaugh.
Strausbaugh sees the shift towards development strategies like DevSecOps accelerating across the military. This is reflected in the fact that DOD is actively working with its industrial partners to provide support and make available business tools and techniques, as services see the benefits of their use, he said.
To learn more about Microsoft Azure Government, visit azure.com/gov