Media Contacts

Katherine Viles for Sev1Tech 
kviles@aboutsage.com
617.416.1104

 

The Ultimate Guide to DevSecOps

May 19 2021

Many federal agencies still utilize the "waterfall" method when it comes to software systems and development. One department completes a task, the project moves to the next department, and the next item on the list is started—everything is completed in silos. This is the way of the past.

Agile vs Waterfall

Today's modern agency calls for the flexibility to transform software rapidly while ensuring that security tools and processes are baked into the software delivery lifecycle. This shift in mindset is the foundation behind DevSecOps, a term you’ve likely heard but may not have your head fully wrapped around.

This guide will walk you through what DevSecOps is, why it’s important, the path to implementing it in your agency, and resources for doing so.

 

What is DevSecOps?

DevSecOps is an evolution from the old waterfall method to a new lifecycle model that integrates, as the same suggests: development, security, and operations. DevSecOps emerged as a pivotal response to older, bottleneck-riddled security processes with siloed delivery pipelines.

Building and automating the development process bridges the traditional gap between IT and security while ensuring fast, scalable and reliable delivery of code. For government agencies, once-siloed teams are brought together to share the responsibility of security tasks during the delivery process. In agencies using DevSecOps, security is no longer a singular task or box to check — it’s a central component of every piece of a project.

Under old models, there were competing priorities — speed of delivery vs. secure code. With DevSecOps, however, these two important elements of every project are merged into a streamlined system. Using lean-agile practices, security testing is done in iterations without slowing down delivery cycles. Security issues are dealt with as they arise; not after a threat of compromise has occurred.

DevOps vs. DevSecOps

DevOps emerged in the corporate world as companies were experiencing timeline and budget overages as they released products that were out of date on launch day.

Product teams brought development and operations together and began implementing lean/agile methodologies, taking a page out of manufacturing’s playbook.

But as processes were being improved to shorten delivery times, system security was left in the dust as an afterthought. DevSecOps works to balance all these priorities and integrate security into the DevOps pipeline without sacrificing quality or slowing down delivery.

DevOps: A Critical Combination

DevOps is the collaboration between development and operations teams to create a more agile, streamlined deployment framework. It's a critical shift away from the traditionally siloed mentality of many IT teams, which prioritized areas of specialization over communications.

DevOps has become a driving force in many forward-thinking agencies—born from the need to deliver software and services more reliably and quickly. The ideals of continuous testing and automation are essential to successful DevOps implementations. New deployments must be tested from the moment code is written to the hour the final product is released—and then regression tested through the product’s entire lifecycle.

DevSecOps: Logical Next Steps

DevSecOps introduces the concept of security into the existing DevOps paradigm. It's critical to apply the notion of developing a "security-as-code" culture that prioritizes both secure deployment and speed, rather than attempting to separate the two.

DevSecOps integrates key security policies such as code analysis, compliance monitoring, threat investigation, and vulnerability assessments into typical DevOps workflows. The ideal result? Native security built into new product deployments, which limits the risk of zero-day flaws and software recalls.

Why the "Sec" in DevSecOps Matters

For years, security has been an afterthought in the DevOps process. The “old way” looks like:

  • Develop the software
  • Implement it in a test environment
  • Then check for security
With DevSecOps, the development process gets more efficient—and secure—by integrating security at each step. Systems become stronger and more secure while maintaining iterative delivery schedules.

You could, in theory, plug any priority into the DevXOps formula and integrate it into your agile workflows. However, with government agencies, security needs to be a priority and DevSecOps has emerged as the desired industry standard.

What DevSecOps Looks Like

When you adopt a DevSecOps approach, you intertwine three different areas—development, security, and operations—into one seamless unit. The unit then focuses on six key components:

  • Automation – You’ll need to employ automatic security protocols to keep pace with your code delivery in a continuous integration/deployment (CI/CD) environment.
  • Code Analysis – Develop your code in small batches so vulnerabilities can be detected early.
  • Shift Left – Ensure security is considered and involved in every step of the process, from inception to deployment.
  • Compliance Monitoring – Guarantee that your operation is constantly mindful of compliance.
  • Security Training – Make sure your IT and engineering personnel are trained with set guidelines for DevSecOps.

The Benefits of DevSecOps

DevSecOps sounds nice. But can it actually make your agency more efficient?

In most cases, the answer is a resounding yes. When you combine the processes of three different departments—development, operations, and security—you naturally become a more effective unit that can:

  • Continuously deliver iterations to a system
  • Build and test functionality rapidly
  • Deploy bug fixes and enhancements rapidly
  • Integrate a lean team of experts to move quickly
  • Respond to changing needs with ease
  • Identify vulnerabilities before they become big problems
It’s rare to get an opportunity to increase both efficiency and quality in one fell swoop, but a shift to DevSecOps can accomplish it all.

The DevSecOps Pipeline

A typical DevOps pipeline includes different stages for each piece of work to be completed. For example, a typical software development lifecycle (SDLC) includes phases like plan, code, build, code, test, and deploy.

 

DevSecOps Infinity Loop

In DevSecOps, specific security checks are added in each phase:

  • Plan: Execute security analysis and create a test plan to determine scenarios for where, how, and when testing will be done.
  • Code: Deploy linting tools and Git controls to secure passwords and API keys.
  • Build: Incorporate static application security testing (SAST) tools to track down flaws in the code before deploying to production.
  • Test: Use dynamic application security testing (DAST) tools to test your application while in runtime. These tools actively investigate running applications with penetration tests to detect possible security vulnerabilities.
  • Deploy: After completing the above tests in runtime, send a secure build to production for final deployment.

An example DevSecOps pipeline, including the tools used at each stage, for customized version of Geocent's Apios DevSecOps pipeline. 

Apios DevSecOps Pipeline

Adding Automation

As you improve your DevSecOps pipeline and laser focus your security efforts, you’ll identify opportunities for automation, which can further your efforts to streamline and secure the development process.

Leveraging automation makes it possible to address form and function issues at speed rather than relying on outdated manual frameworks.

Automation can:

  • Help you transition from a continuous delivery operation to a continuous deployment system—no more checking updates and new tech before it’s deployed.
  • Detect vulnerabilities in your system, automatically build a new environment with the necessary updates, and redeploy without you touching it.
  • Automate the entire infrastructure, which gives you more freedom to interchange parts and attributes as you please without enduring a laborious, manual process.

 

The Culture Shift Required in DevSecOps

DevSecOps allows agencies to build, test, and release secure software faster and more reliably. It’s now the standard in tech, but many government agencies are still using outdated methodologies.

Change, no matter how it arrives, is never easy. For government agencies, it can be even harder. Systems, processes, and mindsets are more entrenched because of the extreme vetting that goes into adopting these frameworks. The same goes for shifting to a DevSecOps approach to your software tech systems.

So how do you catch up to the standard and even get ahead of the curve in one undertaking?

The Challenge

The government sector, by and large, lags behind the commercial sector in software technology.

We’ve seen many clients still using the “waterfall” method. Each department works independently, with their own territory to lord over. They feel ownership over it, naturally, and when management comes in and wants to reclaim that territory or give it a different look, resistance is natural.

People worry. Will I lose my job? Can I keep up?

Management worries, too: Will this new approach actually work? We’ve done it one way for a long time—why are we abandoning our tried-and-true way? Why rock the boat?

You might be surprised how entrenched some people can be about this change (then again, it may not surprise you at all). And if you believe your team is truly using a DevSecOps approach, but your development and operations teams still aren't communicating or working cohesively, you lose.


The Solution

No matter the challenge, DevSecOps will radically improve how your government agency works.

Gone are the worries about security checks. And the amount of time and effort saved with a continuous-integration, continuous-deployment (not delivery) environment can have a monumental impact. Your software creation and implementation can become faster, more efficient, and more secure.

The benefits seem obvious, but getting buy-in from stakeholders can be the most difficult part of going from behind the curve to cutting-edge. To fully embrace DevSecOps, you must break down barriers and foster open collaboration between development, security, and operations teams. Remember, DevSecOps is a software engineering CULTURE.

The cultivation of shared responsibilities is vital. All DevSecOps team members must see the delivery of secure services as their responsibility, rather than something handled by other teams during development or after services are deployed.

Not everyone in your organization may be as excited about the culture shift as you. Not everyone likes change, and there's one thing for certain, DevSecOps will bring change—how you work, what you do, how you interact with other people on the team, and beyond.

If you encounter persistent resistance, it may mean some staffing changes are in store. But when the work your government agency does is so important, it’s worth it in the long-term.

How Geocent Integrates DevSecOps

At Geocent, DevSecOps is more than just a buzzword. It’s integrated into every project we do—not just the projects where it’s required by contract. DevSecOps isn’t a box we tick and move along. We take a proactive approach to make sure we’re delivering quality, secure software continuously and with efficiency.

We’re a DevSecOps-focused organization, and here’s how we bring it to our clients:

  • Align the DevSecOps pipeline, described above, to each organization’s needs
  • Create a plan and processes for implementing and measuring DevSecOps performance
  • Execute the plan to make DevSecOps engrained in every step of the process
    Iterate and improve as we identify opportunities

There’s no one-size-fits-all DevSecOps implementation checklist out there that you can plug-and-play in your agency. You’ll likely want an experienced DevSecOps partner like Geocent by your side as you reframe priorities and bring siloed departments together.

Real-world Examples

USCIS Risk and Fraud DevSecOps

The Department of Homeland Security Citizen and Immigration Services (USCIS) needed to modernize its systems used for immigration status verification. Geocent used DevSecOps methodologies to help replace these burdensome legacy systems with agile, efficient, cloud-based applications that help USCIS process claims more quickly and effectively.

Read More

MCBOSS Multi-Platform Cloud Capabilities

The Marine Corps was used to taking months or years to make even minor software updates to their legacy systems. They needed a cloud-enabled platform that allows users to access and build applications for Marine Corps use, including the ability to rapidly update with a continuous authority to operate (ATO)—the first of its kind in the USMC. Our team constructed the majority of the automated testing and development, which enables the DevSecOps process within the MCBOSS environment.

Read More

The Kessel Run Model

Known as the Software Factory that fights wars, the goal of Kessel Run was to change how the Air Force, and by extension the Department of Defense, develops and delivers software run on classified networks that adopts the best practices from the commercial industry.

The program, once thought of as far-fetched, successfully demonstrated continuous delivery of software development, or in developer terms, the holy grail. It was a huge win for the Department of Defense.

 

Read More on DevSecOps

Culture Change + DevSecOps

A DevSecOps Approach to Cloud Transition

Tags