This article was written and submitted by Ben Chicoski of CloudBees. It was originally published on the CloudBees online publication and is available in its entirety HERE.
Application developers are enthusiastic to move quickly and innovate. Unfortunately, that enthusiasm sometimes creates conflict when it butts up against security, which tends to value the status quo. And, in some cases, the desire to increase velocity introduces new challenges and risks ranging from skipped process gates to insufficient testing.
The goals of development teams can seem at odds with what security teams need to do. Traditional models of security have certain characteristics that don’t always jibe with a development team’s thirst for speed, flexibility, and innovation. The result is an all-too-common mindset that “security is blocking the world.”
This scenario applies universally to government agencies and the vast surrounding ecosystem of private industry that advises and performs services related to DevOps, IT modernization, and information security. With a government-wide push for IT modernization, citizen-facing digital services, website modernization, and the fact that many programs rely on producing functional and secure software, agencies want greater DevOps maturity, but they’re often unsure how to turn that goal into reality in a world where compliance matters.
But it doesn’t have to be that way. Especially considering that development, security, and operations teams all strive for the same end state: fewer vulnerabilities in production.
A convenient truth: security can accelerate DevOps adoption
Enter DevSecOps, which unites groups around a shared objective: software that is both functional and secure.
Agencies increasingly recognize that security plays a key role in software delivery, and therefore it makes perfect sense to, “Push security to the left,” by weaving security steps into developer workflows. The result: faster releases, more secure releases, and the freedom to focus on the mission.
A tidy definition of DevSecOps comes from my colleague Nic Chaillan, who is doing some incredibly pioneering work to build a DevSecOps platform of best-of-breed tools that can be leveraged as a turnkey solution across the Department of Defense enterprise.
According to Nic, “The software integrated tools, services, and standards that enable partners and users to develop, deploy, and operate applications in a secure, flexible and interoperable fashion.”
And this new approach to development is taking off across the government.
The General Services Administration is pursuing a DevSecOps model, “…that will not only engage security throughout the development and operations processes, but more specifically, ensure their involvement as we align the Authority to Operate (ATO) process,” with its increasing adoption of cloud.
The Department of Homeland Security is working on technical and policy angles simultaneously. While its cloud steering group tackles aspects of policy, its Cloud Factory is helping to establish a highly automated, secure, reliable set of managed services that allow for the dev/ops flow, feedback, and innovation of various applications.
But there are some challenges.
DevSecOps and authority to operate (ATO)
A thorny issue wrapped up in both technology and policy is everyone’s favorite whipping boy: the ATO process. One sticking point is that an ATO is usually good for three years, although it assumes no major changes to a system’s cybersecurity posture will be made during that time.
When changes do occur, the authorizing official might require a reassessment and reauthorization, which impacts project cost and schedule and runs counter to being Agile.
Fortunately, the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), the government’s foundation for system assessment and accreditation, encourages an alternative approach to the traditional three-year ATO process through continuous reauthorization.
The daunting and labor-intensive application of RMF controls presents a prime DevSecOps opportunity: automation and orchestration can minimize the release of poor-quality code, make the results of security gates a foregone conclusion, and provide continuous visibility into system changes and security posture.
To read Ben’s original article in its entirety, click HERE. For additional information on how DevSecOps can help government agencies innovate and move quickly without sacrificing security, click HERE to download a complimentary copy of the whitepaper, “DevSecOps: Speed and Security Together at Last.”