Historically, the advent of Agile development increased the ability of software developers to create apps that met real-time objectives. Then, the rise of DevOps pushed for coordinated efforts between developers and operations by moving operations to the left. Now, DevSecOps strives for baked-in security by moving security to the left in the application development process, as well.
But, can government agencies develop software applications at the speed of relevance while still ensuring security, interacting with previous application development, and actively thwarting the efforts of skilled adversaries?
Katie Arrington, Chief Information Security Officer (CISO) for the Office of the Under Secretary of Defense for Acquisition, recently answered this question and explained how the Department of Defense is doing exactly that. And there are few more qualified to do so, as it’s Arrington’s responsibility to oversee cybersecurity efforts across the military and ensure that best practices are embraced throughout.
Arrington recently addressed an audience of government and private sector security personnel at the recent Sonatype-sponsored DevSecOps Federal Leadership Forum, she and other government cybersecurity decision-makers discussed the challenges government organizations face in software and application development. During her remarks, Arrington suggested that cybersecurity is a foundational element in application development and acquisition, and that these foundational elements must be done right “every single time.”
Security is not a checklist of do’s and don’ts
The National Development Authorization Act (NDAA) tasked the Defense Innovation Board (DIB) with a study to better understand how to streamline software development and acquisitions. This study, the Software Acquisition and Practices (SWAP), pushed forward key recommendations.
“The DIBSWAP study wasn’t done by the government. It was done by industry professionals looking at the government software development and acquisition process,” Arrington explained. She went on to summarize the study’s findings, saying, “You can’t buy software like you buy hardware. Software is always evolving…We need to be able to develop software in the most secure environments, at the speed of relevance.”
Embracing DevSecOps is essential for secure software development that keeps pace with the speed of requirements and innovation. And adoption of DevSecOps was potentially expedited in the Defense Industrial Base (DIB) by the Cybersecurity Framework and Cybersecurity Maturity Model Certification (CMMC).
The CMMC works to ensure that private sector organizations developing applications on behalf of the government meet certain cybersecurity benchmarks. Arrington suggests this was essential for the wide acceptance and progress of DevSecOps in government sectors. Having DevSecOps requirements baked into the requirements and acquisition process has enabled DevSecOps methodology to infuse itself into the DNA of projects going forward.
However, more work is needed to adapt DevSecOps principles into legacy applications and ongoing projects upon which newer containers, coding, lifecycles, and acquisitions will need to build. Determining ownership, assigning responsibility for maintenance and liability, and understanding usage rights all need continual focus across the public sector. But, DevSecOps is here now. It is inherent in the acquisition process. It’s here to stay.
Arrington sets the tone for the work ahead, “Focus on the highest risk. We want to buy down the risk as much as possible. We shouldn’t hold back on development and moving at the speed of relevancy out of fear of failure…Get the fundamentals down from the outset and realize there is a lot of work to do to see it play out throughout the whole lifecycle.”