3 Ways DevSecOps Can Improve Cybersecurity Practices

As much as agencies want and need to rapidly respond to change, they’re only as agile as the systems they rely on.

At the root of the issue are traditional program development processes in government, which don’t have the speed and flexibility to keep up with technological changes or fast-paced modern adversaries. But there’s a shift taking place. Agencies are rethinking how they approach software and systems development in their technology programs.

Specifically, they’re using more flexible methods, such as DevSecOps, to streamline the process and to improve cybersecurity from the start. The goal is to tightly integrate development, security and operations, and enable fast and continuous delivery of value to end users.

Derek Strausbaugh, Chief Digital Officer for Microsoft’s National Security Business, and Zach Kramer, Engineering Lead for Microsoft’s Azure Government, explain three ways that DevSecOps is changing cybersecurity practices across government.

1. Builds cyber considerations into programs from the beginning

The intent of DevSecOps is to get everyone in a program accountable for and invested in security, with the goal of implementing security decisions and actions at the same scale and speed as development and operations decisions and actions.

“You’re really taking security and putting it on the same level as continuous integration and delivery,” Strausbaugh said. So it’s not just Agile development, it’s actually creating another leg of the stool for quality from the get-go.

2. Creates organizational awareness around security

Agile development methodologies that emphasize iterative development cycles and feedback have become more common in federal government technology programs. “But DevSecOps often gets confused as either another name for Agile development or an offshoot of it,” Strausbaugh said.

DevSecOps shifts left security accountabilities, allowing programs to operate more efficiently and create more organizational awareness when problems do show up.

“DevSecOps also helps with software and technology development pipelines,” Kramer said. “This is important because it is possible for programmers to build code and deliver products without understanding the infrastructure underpinning it.”

3. Changes the culture and the conversation

Another advantage of DevSecOps is that it shifts the program manager’s perspective from making sure that software is in compliance or meets a specification or audit to ensuring that the code is written correctly and securely and that it’s deployed in a repeatable manner.

Overall, DevSecOps fits into the government’s modernization strategy to upgrade legacy systems and incorporate new capabilities such as machine learning or artificial intelligence into its mission. “It is about increasing velocity — speeding up decision-making and operational effectiveness — rather than simply delivering software,” Strausbaugh said.

This article is an excerpt from GovLoop’s recent guide, “Agile for Everyone: How to Improve Everyday Work Processes.” Download the full guide here.


Leave a Comment

Leave a comment

Leave a Reply