The benefits of shifting from a traditional “waterfall” approach to application development to a DevSecOps approach to application development have been well documented – including in the GovDevSecOpsHub. Ultimately, by shifting security left in the development process, application development teams can develop and deploy software more quickly, and create applications that are more secure against the increasingly sophisticated and active threat landscape facing today’s government.
Despite these benefits being well known and accepted, DevSecOps adoption is still in its infancy in many places across the federal government and military. There are many reasons why that may be, but culture certainly plays a large role. While the tools and technologies needed to make DevSecOps a reality are widely available to government, there are large changes to the existing culture within many of these government agencies and military organizations that are needed to effectively put them to work.
In the latest episode of the ContinuousX Podcast, hosts Mike Fitzurka and Rick Stewart of DLT sit down with Kaitlin Bulavinetz, the Chief of Staff to the Chief Software Officer of the United States Air Force, to talk about enabling a DevSecOps culture in the military.
Click the play button to listen to their conversation, or read the transcript of the podcast below.
Transcript: ContinuousX Podcast (Season 2, Episode 1) with Kaitlin Bulavinetz, , the Chief of Staff to the Chief Software Officer of the United States Air Force
Rick Stewart: Hello and welcome to another episode of our ContinuousX Podcast, where we toil to “Solve for X in the SDLC Equation.” We are pleased to have as our guest Miss Kaitlin Bulavinetz, Chief of Staff to the Chief Software Officer of the United States Air Force. Welcome, Kaitlin.
Kaitlin Bulavinetz: Hi, how are you? Thanks for having me.
Rick Stewart: Thank you. I got by your name, so we’re doing well. For this episode, we would love for you to provide your insights into any cultural challenges in adopting DevSecOps principles within the United States Air Force, or the DoD at large, and how do you overcome them?
Kaitlin Bulavinetz: The cultural challenges are something that the DAF and the department is aware of and working on, and our office is very happy to be working with our partners across the DoD on those challenges.
One of the big items that underlies the cultural challenge is that the processes and systems were created a long time ago and are still structured in a very waterfall way. They’re not designed for flexibility of today’s technology and our technology is just moving so much faster than the department systems can be updated. So, that is one key way.
But the policies and the tools exist in the department to address those items and to move from a Waterfall process to something that’s Agile, embraces a DevSecOps mindset, and is more flexible, so that we can continue to evolve as technology continues to develop and things continue to move faster and faster.
I think that’s an important area to recognize that these tools exist, the policies exist. You’re seeing that we have these pockets of innovation and all these new ideas, like the Continuous Authority to Operate (cATO), which we’ll talk about later, which offers the ability to move faster and to move at the speed of relevance. And those items, through that implementation, that’s how we’ve been changing culture.
We’re also doing that through workforce training and sharing best practices across the department. It’s important to recognize that it’s a holistic approach. It’s not just, “well, we need more software developers.” It’s not, “we need to make sure software developers are trained faster.” It’s, you have contracting officials who support those developers.
You have so many programs that also work with them. There’re so many different pieces. And once we get everybody talking the same digital language, I think some of those cultural obstacles will start to disappear. And I think you’re starting to see it. So that’s really where we’re looking at right now, is how can we do that with some areas such as software reciprocity and Agile contracting.
Michael Fitzurka: Right. I would imagine that contracting is probably the one big element, that if everything’s structured to be … okay, you can be Agile, and I’ll tell you what to do later, but you have to do all these things upfront and you have to agree to it; then you’re kind of incongruous to what you want to try to achieve with an Agile mindset.
Kaitlin Bulavinetz: Yeah, exactly. And it’s not just the contracting process, it’s the contracting process is that way because the budgeting processes is that way. You need to plan your budget five years out. Where we are as an organization, you didn’t have Platform One or the software factories five years ago.
So, it’s hard to do that. But there are different approaches that people are taking, such as buying the capacity of work instead of buying requirements, and that gives you that flexibility. So yes, you have your desired North Star that you’re doing for five years, but you’re able to make those decisions in the immediate future based on your needs and the warfighter’s needs.
Rick Stewart: Yeah, I was going to mention, Mike and I come from the private sector, which I believe you have in your past as well, Kaitlin, where even within the same company or the same entity, there are cultural challenges that you have to overcome.
An Agile approach, kind of the left side, where software development was being done quicker and more devoted to the most valuable thing to do. And you still have the operational side where they are challenged with availability, security, all the “-ities”, etc. And you still had this cultural back and forth where an us-and-them wall was built up.
That’s why I’m very pleased that the DevSecOps cultural transformation is being embraced in the public sector. My 50,000-foot view is that has challenges with the human nature of the us-versus-them, especially when you’re talking about potentially multiple different companies competing for awards, competing for services, and competing for agency attention and dollars in order to achieve the outcome. Where the outcome should be the service or the value of providing, as opposed to who’s actually doing it.
Kaitlin Bulavinetz: Yeah, I mean, it’s a culture change, right!
Rick Stewart: Exactly!
Kaitlin Bulavinetz: Vendors and contractors and the private sector providing expertise is such a key piece of it. So, it is looking at a different way of doing business, but ultimately everybody rises with the tide. So, as the department becomes more advanced, when it comes to software practices and where we are from a tech standpoint, as we catch up to the commercial sector companies, there won’t be such a stark difference between what you’re selling to the government and the way the government does business and the way commercial sector does business.
Rick Stewart: And I want to add, from our background, Mike and I would go into the operations group and kind of plead with them saying, you understand if a hole’s blown in our side of the boat, ours being the development side, we’re still going down. So, you know, you said the rising tide, I kind of use the naval…
Michael Fitzurka: The sinking tide.
Kaitlin Bulavinetz: You can add some airplanes?
Rick Stewart: Maybe a hole in the wing is not a good thing.
Michael Fitzurka: Yes, not the Navy.
Kaitlin Bulavinetz: No, we don’t do that, we’re all one team.
Rick Stewart: Thank you, Kaitlin, that was most interesting. And thank you to our listeners for your time and attention. Join us for our next session with Kaitlin when we’ll discuss cATO.