ExecTech
Improving IT performance
with DevSecOps
Defense agencies in particular are embracing the idea of blending development, security and operations from day one
BY CHRIS YATES
Eli Whitney, the inventor of the cotton gin, demonstrated the value of interchangeable parts in 1801 before the U.S. Congress, President John Adams and President- elect Thomas Jefferson. Whitney proved the viability and the military value of interchangeable parts by stripping down several muskets, mixing up the parts and then reassembling the guns in working order. Although his demonstration was later proven to be staged — he had marked the parts beforehand and they were not truly interchangeable — the concept was valid.
Today, we take for granted that parts are interchangeable, from the bolt carrier of a rifle to the alternator on a transport vehicle. We assume that one is as good as another. But as with information systems developed today, muskets of that era were bespoke artisanal creations. The parts for any given firearm were custom fitted to accommodate the variation in manufacturing for the other components. A gunsmith would be necessary to replace the hammer or pan of a musket and return it to working condition.
The same can be said for information systems today, which often require a specialist or a team of specialists to configure, deploy, modify or repair in the instance of a failure.
To address the bespoke nature of information systems and gain the same types of benefits that interchangeable parts brought to manufacturing, the Defense Department is adopting DevSecOps. The approach has seen accelerated growth in the public sector in the past two years, especially within DOD, and it warrants a closer look.
DevSecOps combines processes, tools and people with enterprise values across the disciplines of development, security and operations. DevSecOps forms a unique culture to enable more efficient delivery and management of secure software. The integration of security augments the DevOps practices seen in industry.
In government, it’s important to integrate security throughout the process to effectively reap the benefits of iterative improvements. Traditional development processes more often incorporate security as a checkpoint that needs to be passed and do not integrate security concerns throughout the process. DevSecOps elevates security into a first-class citizen instead of a bolt-on checkpoint.
The adoption of DevSecOps is extensive across the federal government, including the General Services Administration, Air Force, Army and Navy.
Let’s take a closer look at the three main elements of DevSecOps:
• Processes. DevSecOps can be seen as an extension beyond the soft- ware development life cycle practices found in agile development and con- tinuous integration/continuous delivery methodologies to improve the opera- tional behaviors of the deployed sys- tem, including security. By taking the principles of continuous deployment, applying them to operations manage- ment and introducing configuration as code, operational tasks can be auto- mated, thereby increasing resiliency.
Ultimately, the result can be push- button automation — the ability to completely redeploy a component of infrastructure from bare metal to full operational capability by kicking off the appropriate automation playbook.
• Tools. Myriad tools are used in DevSecOps. It’s more important to have the right classes of tools than it is to have precisely the same tools that another DevSecOps-practicing organization might use. DevSecOps is a combination of all three pillars of pro- cesses, tools and people so there is no single product that can be purchased. Unfortunately, there’s no such thing as a DevSecOps box we can install in a data center.
The collection of tools focuses on source code version control, build automation, test automation, security
September/October 2020 FCW.COM 39