Cybersecurity – a term often mentioned by military leadership, industry experts, media, and policy makers – is emerging once again with DevSecOps.
“We’ve heard it all before in the modeling, simulation, and training community – cybersecurity needs to be baked-in, not bolted on,” said Don Lawson, Cybernet vice president for cybersecurity and training systems. “With DevSecOps, cybersecurity is not only baking with development and operations, it’s a key part of the recipe.”
DevSecOps stands for development, security, and operations. It’s goal is to integrate security as a shared responsibility during the culture, automation, and platform design of products and programs throughout the entire IT lifecycle. DevSecOps processes support continuous integration and continuous delivery activities alongside cybersecurity compliance and reporting.
“It doesn’t sound very groundbreaking on the surface,” said Lawson. “But the concept is novel because of the highly automated and integrated nature of DevSecOps.”
The ability for a development team to check-in their latest code updates and features, run the codebase and deployment infrastructure through cybersecurity quality gates, and provide for automated deployment operations for either staging, quality assurance, and/or production, is what pushes DoD cybersecurity experts toward the concept of continuous authority-to-operate (cATO) and/or continuous risk management framework (cRMF).
With cATO/cRMF and Agile contract requirements gaining momentum, DoD has the opportunity to embrace best-of-breed toolsets to deliver capabilities to the warfighter quicker, cheaper, and with a higher degree of quality and inherent security.
“By putting cybersecurity directly into the development build & deployment processes, cyber analysts are now gaining insights into areas of products which were previously under a veil of secrecy in the years of bolt-on cyber,” added Lawson.
Entire code bases, which include open-source components, are now able to be scanned for vulnerabilities, scrutinized for risk impacts, and reported on. This enhanced process allows for software engineering, cyber, and operations teams to respond accordingly so the overall risk factors of operating their system is either addressed at the source or mitigated in the wild.
The Air Force, Army, and Navy are already embracing this technological shift with the Platform One, Enterprise Cloud Management Agency’s (ECMA) CReATE, and Black Pearl initiatives. All three are greatly enhancing the speed at which software capabilities can go from concept to scalable deployment by enabling code reuse, cyber reciprocity, and cloud-level scale of compute resources.
From training systems to weapon systems, the application of DevSecOps within the DoD is imperative to maintain our nation’s technological edge against adversaries targeting our vulnerable systems by using our long procurement processes against us.
“The weight of continuous cyber compliance at the scale of DoD assets is a daunting beast, and DevSecOps may just be the silver bullet we need,” concluded Lawson.