For agencies to realize the full benefits of DevSecOps, they need to apply the DevOps tenet of continuous delivery both to software and security.
This is a big change from a traditional development environment in which security typically operates as a separate function that is brought into play at key points in the development lifecycle. In that model, security also is seen as a drag on the development process and an obstacle to innovation.
Agencies can avoid those pitfalls by fully incorporating security into the DevOps process and, more importantly, into the daily workflow of their developers.
To learn more about this, GovLoop spoke with Michael Ducy, Cloud Native Transformation Specialist at Red Hat. He discussed three ways in which agencies can reduce risk and improve compliance while also driving innovation.
Let Developers Drive Innovation
When it comes to security, IT experts often talk about the importance of “shifting left,” that is, addressing security earlier in the development lifecycle. But it’s not just security that shifts left with DevOps.
In traditional IT environments, developers were expected to adhere to a detailed IT architecture, which was updated periodically. To take advantage of today’s rapid rate of innovation in technologies and architectural approaches, agencies need to give developers more leeway to decide what languages, toolsets and capabilities they might need to build an application, said Ducy.
“Keeping the state of innovation at the development level is very important, because it helps you further down the line, as you’re trying to reach your customer, or your user, in this new digital world,” he said.
Let Developers Drive Security
Because the DevOps environment is so dynamic, security can keep up only if it is fully integrated into the day-to-day work of developers.
It comes down to continuous delivery. As developers download libraries, JavaScript packages and other tools, they need to ensure that they are running the necessary checks on risk and compliance. Security needs to become just another gate in the continuous delivery process.
In this environment, the role of the security team plays more of a consulting role, helping developers understand security requirements “so that they can make better choices in the future as they go through this more modern way of working,” Ducy said.
Establish a Trusted Software Supply Chain
Integrating security into the development process provides the foundation for building what Red Hat calls a trusted software supply chain (TSSC).
With a TSSC, all stakeholders can be confident that security, compliance and privacy requirements are addressed throughout the software development lifecycle. Such trust is essential to accelerating a program’s ability to achieve authority to operate.
A lot of pieces need to come together to build a TSSC, and it won’t be easy if agencies take a piecemeal approach, said Ducy. “With the Red Hat OpenShift Container Platform, we provide a complete holistic solution that enables you to build a trusted software supply chain rapidly and to onboard new teams quickly to start working in this way,” he said.
This article is an excerpt from GovLoop’s recent guide, “Agencies Build Foundation for DevSecOps Success.” Download the full guide here.
I love how this resource is split into three, succinct segments. Definitely sending this to my (developer) brother!