August 7, 2018

Written by Michael Iams, Solution Architect at REI Systems

Everywhere you look, federal government IT is scrambling to catch up with cybersecurity threats. Key provisions of FITARA have been extended to give federal CIOs more authority. OMB set a 3/1/2018 deadline for agencies to meet newly strengthened FISMA requirements. The Pentagon is launching an educational campaign aimed at the families of leadership, stressing the need for better cyber hygiene. And of course, all this happening in an environment of reduced budgets for equipment and training.

To become faster and more innovative, most agencies have turned to DevOps. DevOps is the set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. Leveraging Continuous Integration and Continuous Delivery (CI/CD), developers find and fix bugs as they occur, driving speed and efficiency. DevSecOps takes the same process to “bake” cybersecurity right into new software and applications, but this process is not being followed currently by federal agencies.

Here’s how GSA defines DevSecOps on its Tech Guide web site: “A cultural and engineering practice that breaks down barriers and opens collaboration between development, security, and operations organizations using automation to focus on rapid, frequent delivery of secure infrastructure and software to production.” A detailed approach to DevOps for the Federal Sector can be reviewed by clicking on this link.

Automating software testing alone does improve cybersecurity somewhat. However, currently security testing is still done as a separate process AFTER the software is ready for deployment, sometimes causing lengthy delays and unnecessary mistakes due to a lack of coordination. Security shouldn’t be “bolted-on” at the last minute. The security testing could be automated just as bug testing is currently – which would make federal agencies more nimble AND more secure.

Traditionally, there has been a belief that increasing the frequency of deploying changes to production reduces operational stability and reliability. But DevOps has proven that throughput and stability are in fact positively correlated and lead to better IT performance and security.

The challenge of DevSecOps is more cultural than technical in nature. At its core, the problem is that historically, government has not assigned a quantifiable cost to delays and missed deadlines. There is no incentive for the security team to meet deadlines on testing new services or applications. They are siloed away from the development team, and there is little or no collaboration.

In 2012 the management consulting firm AT Kearney produced a study putting a dollar figure to acquisition and production delays. The report looked at defense programs, and documented how billions could be saved by cutting down on missed production deadlines.

Security teams insist on having control of configurations and running their own tests – and that’s not a problem! That kind of control can be maintained, but integrated into the overall, iterative development process.  Better coordination between the two teams would also address these DevSecOps challenges:

  • Security tools are notorious for reporting false positive and irrelevant results. It is important that a consensus be established before development begins among the product owner, developers and security teams regarding the standards and methodology to resolve false positives. Some of the tools that we have found most useful for security in the DevOps context are listed here.
  • Equal emphasis needs to be applied to automation of security updates, patches and newly identified vulnerabilities.  Developers need to perform integration tests for updates and patches as early in the process as possible, using their CI/CD pipeline.  And when new issues such as zero-day vulnerabilities are identified in production, all teams need to have a clearly defined approach to remediating the production applications quickly.
  • Industry-accepted security tools are often proprietary and may be more difficult to integrate as part of a CI/CD pipeline. Vendors are addressing these deficiencies as DevOps has become a priority in the marketplace. Security teams should work with developers during sprint planning sessions to identify and implement creative solutions when necessary.

Government is not the only IT industry facing these issues. Financial and medical industries are thought leaders in this space, and have managed to make great strides in addressing DevSecOps challenges. The cultural and silo issues found with integrating security into DevOps are very similar to the challenges addressed when development and operations teams needed to align their goals to make the DevOps approach succeed. Agencies just need to get the security team to join the party.

Prioritizing early and frequent feedback, both through interpersonal communication and through automated technical challenges, is the key to better government cybersecurity. Greater DevSecOps adoption is how government IT can, to borrow a phrase from GSA, deliver safer software sooner.

Michael Iams, is a Solution Architect at REI Systems. He has specialized in automating system development processes, managing large volume/high velocity data, and public sector transparency.