Managing security risks and developing next-generation software often feels like competing priorities in government.
On one hand, software developers are responding to the needs of end users, updating code and testing quality before deploying. But the rapid pace of software development at even the most agile organizations is no match for the monolithic security review at the end of that process.
The problem is that when security checks aren’t integrated into developers’ workflows, they can unnecessarily delay software releases, potentially creating greater vulnerabilities if issues slip through the cracks and frustrating everyone involved. “It’s a bit of a square peg, round hole problem,” said Cindy Blake, Senior Security Evangelist at GitLab, a popular web-based DevOps software development lifecycle tool. “Software is a fundamental part of operationalizing any mission, and speed to mission is essential.”
But how can agencies truly “shift left” and empower developers to find and fix vulnerabilities early so that they are improving speed to mission and efficiencies? The short answer, Blake explained, lies in agencies’ ability to 1) inspect software incrementally and continuously, 2) rethink how they view security and 3) automate policies where possible.
In a recent GovLoop interview, Blake said when security reviews are integrated into the software development process, teams are freed up to do more innovative work and end users get the capabilities they need faster. “If you can increase your velocity, while at the same time improving your efficiency and reducing risk, you can free up resources to focus on your innovation efforts,” she said.
GitLab enables agencies to embed application security testing into their overall software development lifecycle. In other words, the developer can test each and every line of code within their workflow and get results in real time, while the code is still in their hands — rather than having to wait for a massive scan at the end.
Creating this type of environment requires agencies to rethink security and treat it as an outcome, rather than a function, Blake said. “When we think about security as a department, we get really hung up on tracking stuff. Tracking and reporting on the progress made to resolve those vulnerabilities become the bulk of the effort and the real focus, as opposed to focusing on how to eliminate the vulnerabilities from the beginning,” she noted. “Rethinking security can also allow for common security, compliance and governance models, in addition to simplifying compliance and auditing — further freeing up resources within the agency.”
For security teams, this translates into more time to focus on defining policies reflecting their agency’s risk appetite. Teams can then automate those policies and focus on exceptions rather than manually inspecting every line of code. GitLab, for example, automates app security within its developer tool and has also created a hardened version of its enterprise software that’s currently used within the Defense Department.
“With GitLab, you can streamline your workflows and provide security insight right to the developers,” Blake said. “This frees up resources, speeds time to mission and ensures everyone is on the same page.”
Takeaway: When software development and security review processes become concurrent, teams are freed up to do more innovative work.
This article is an excerpt from GovLoop’s recent guide, “The Top Government Innovations of 2019.” Download the full guide here.