DevSecOps is rapidly gaining traction within the federal government and with the IT solution providers and contractors that service both the federal government and military. And for very good reason. Evolving away from traditional forms of application development – such as the waterfall approach to development – towards Agile development and DevSecOps can make development teams more effective, efficient, and flexible. It can also help accelerate the creation and deployment of software solutions while helping to make applications more secure.
This is especially important for today’s government agencies and military, which face an incredibly sophisticated cyber landscape at a time when software vulnerabilities remain among the most exploited vectors for cyberattack.
In this environment, it’s essential that all applications being developed for government and military use – whether they’re developed by government organizations themselves, or solutions providers – be built with an eye towards security. In our new interview series that we’re calling the “GovDevSecOpsHub Developer Spotlight,” we sit down with application developers that make software for the government and military – and that do it the right way by developing with DevSecOps best practices.
Our first “Developer Spotlight” interview is with Daniel Prado Rodriguez, the Director for Technical Program Management at goTenna and his team: Ketaki Guntoorkar, Lead, Mobile Software; Colin Roye, IT and DevOps Engineer; and Elan Frantz, VP, Product.
goTenna is widely known by hikers and outdoor adventurers as a manufacturer of mobile mesh networking solutions that can enable communications off-grid. But they’re also a software provider, offering an application that works with their goTenna Pro line of products that can help keep military personnel, tactical operators, and emergency responders connected – even when terrestrial networks are unavailable, untrusted, or denied.
During our conversation, we asked Daniel about the goTenna Pro app, how DevSecOps best practices help to keep it secure, and how making a solution for government and military users increases the security requirements of their applications. Here is what he told us:
GovDevSecOpsHub (GDSOH): Many people know goTenna as a device manufacturer and less as an application developer. Can you tell our readers a bit about the goTenna Pro App? What functionality does it have and how does it work with the goTenna Pro X device?
Daniel Prado Rodriguez: The goTenna Pro app is a tactical situational awareness application that pairs with our goTenna Pro and goTenna Pro X mesh networking radio devices to enable mission-critical communications. The app leverages the communication capability of our devices and proprietary protocols to establish a highly efficient mesh network, completely independent of traditional cellular, WiFi, or satellite connectivity.
The devices have a 5W, tunable UHF/VHF radio that automatically act as secure relays, “hopping” messages across the mesh network to greatly extend the radio range. Our state-of-the-art proprietary protocols allow us to operate in a very efficient way compared to the competition.
Using the goTenna Pro app, available in the IOS and Android app stores, is really straightforward. Once users pair it via Bluetooth with our goTenna Pro or goTenna Pro X tactical radio, they can immediately start using its chat and mapping features: sharing and receiving critical tactical information like near real-time locations, map markings – routes, perimeters, geofencing, and other shapes – and text messages while 100 percent off-grid. This can be done in one-on-one, Group, or Broadcast modes.
GDSOH: What are the patch and upgrade schedules like for the application? How frequently is the team working to release new versions, patches, and updates to the application?
Daniel Prado Rodriguez: Although following our Agile Scrum methodology we could release to production a new version every few weeks, that would be impractical for most of our customers in the public sector, since very often our units are deployed offline on the field, and they require a central operator to upgrade our App and FW periodically – that can be done through different methods, directly from the smartphone with an internet connection, or offline connected via hotspot to our goKit (goTenna Pro Deployment Kit.
“But the truth is that no matter how much effort and time you put into the design and planning phase of a software project, unexpected events will happen, implementation complexity will increase, and more importantly, customer requirements will shift, and when that is discovered, it will be too late, having wasted time and resources.” – Daniel Prado Rodriguez
Hence, for practical reasons, we usually group our “internal” releases into a quarterly release but are always ready to provide urgent ad-hoc releases to quickly support new Android/IOS versions or adapt to some other sudden event, such as regulation changes, vulnerability fixes, etc.
GDSOH: In previous discussions, you’ve shared that the goTenna Pro app development team has embraced Agile and DevSecOps approaches to development. What does this mean? How has this changed or shaped the way the team operates?
Daniel Prado Rodriguez: That’s correct. Our engineering teams strive to adopt Agile/Lean principles, and – specifically for the development of software – we follow a methodology largely based on the SCRUM framework.
Working in relatively short iterations of two weeks allows us to capture frequent feedback on the product in progress. It also provides the flexibility to our product team to reassess priorities and specifications. A critical change for us was to introduce quality assurance within each sprint cycle. That has allowed us to increase the overall quality, performance, and stability of our code.
We are working towards achieving a full continuous integration / continuous deployment system for both our Apps and online web services, and DevSecOps plays a critical role in that regard.
GDSOH: What does this approach to development enable that the traditional waterfall approach didn’t? How is it making you a better development team?
Daniel Prado Rodriguez: The waterfall approach still has value in many areas of engineering, but when it comes to software development – particularly the development of mobile and web applications – it has well-known shortcomings. Its Achilles’ heel is assuming that the planning phase can anticipate the impact of external and internal factors that inevitably happen during the development.
But the truth is that no matter how much effort and time you put into the design and planning phase of a software project, unexpected events will happen, implementation complexity will increase, and more importantly, customer requirements will shift, and when that is discovered, it will be too late, having wasted time and resources.
Adopting Agile has made us a much better team. Frequent collaboration and communication are fostered within the engineering team units and between engineering and the rest of the organization. These constant communication channels and the checkpoints provided by the SCRUM ceremonies have a positive impact on the quality and usability of the product, and also work both ways since often engineers can provide valuable feedback to designers and product owners.
GDSOH: What tools or solutions has the team implemented to help make the transition easier and improve security across the SDLC?
Daniel Prado Rodriguez: Over the last couple of years, we have incorporated several tools into our SDLC. For example, we use Github Actions and AWS CodePipeline to automate our deployments. We use several vulnerability scanning tools in our pipeline to ensure our builds are constantly monitored. In the case of our web apps and services, we’ve integrated Cloudflare’s Web Application Firewall (WAF), which protects us from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery.
“DevSecOps helps us keep security compliance in an agile development cycle…by keeping consistent vulnerability management with constant automated scanning and monitoring of our codebase and third-party components.” – Daniel Prado Rodriguez
We can also mention CloudFormation and Terraform infrastructure code as well as Docker containers to codify our infrastructure. These tools allow us to write clear declarative infrastructure with security best practices baked in. Changes to the infrastructure can be peer-reviewed on GitHub, reducing the likelihood of insecure changes finding their way into production systems.
GDSOH: I understand that goTenna Pro devices are in use within public safety and even military organizations. What use cases are there for the Pro devices and goTenna Pro app within these organizations?
Daniel Prado Rodriguez: For public safety, our use cases include search and rescue, manhunt operations, wildland fire management, and disaster recovery.
For our military customers, applications primarily cover blue force tracking, but extend to reconnaissance, training, and more.
GDSOH: Does working with military, police and public safety organizations create any additional security challenges or requirements? How has your DevSecOps and Agile approach to development helped to keep the app secure for these users?
Daniel Prado Rodriguez: Our use cases often involve sensitive positions, messages, and other potentially sensitive information being transferred through our network. That means we need to keep the highest level of security in our product, mitigating any risk of exposure for our end users.
First of all, there is a strong focus on encryption, using the strongest techniques and algorithms to achieve secure end-end key exchange and message ciphering. DevSecOps helps us keep security compliance in an agile development cycle, for example, as mentioned above, by keeping consistent vulnerability management with constant automated scanning and monitoring of our codebase and third-party components.
For additional information about goTenna and their goTenna Pro line of products for military and public safety, visit them online at www.gotennapro.com.