Cloud-native development continues to accelerate with no indication of stopping. Federal agencies need to adopt a DevSecOps culture to be successful with cloud-native software development. Adopting new tools – and new processes – is never easy, but it’s practically impossible if your agency’s culture doesn’t embrace change, collaboration and innovation.
How does that culture develop? Some government programs have an advantage. Because of their mission or focus, they are more organically open to re-invention and new ideas, which typically attract employees who ask questions, analyze results and are willing to try new processes.
That description certainly doesn’t include every organization within the public sector, so let’s dig deeper and identify the mindset needed to achieve a DevSecOps culture.
In a successful DevSecOps environment, security is baked into development using automated tooling and processes that help shorten feedback loops. This results in delivery speeds that keep pace with modern missions, operations, security and compliance. Some agencies are closer to the problem than others. Being close to the problem makes it more tangible and real. Such closeness also forces an organization to identify their actual need to change their development practices and solve their problem.
After observing dozens of agencies and hundreds of teams, the cultures that best support DevSecOps embrace six overlapping mindsets. Here are the first three:
At the heart of DevSecOps is a need for unity, communication, listening and discussion between every relevant stakeholder in the development and security process. The collaboration needed between various team members who work side-by-side stands in sharp contrast to waterfall methodology roles where developers would finish a project and “throw it over the wall” for testing and security. These developers would inevitably find faults and toss it back, resulting in conflicts and delays. DevSecOps relies on doubling down on security by leveraging automated tools, flexible APIs that encourage automation and reporting out security related information in an automated way to every relevant stakeholder in the development and delivery process to foster collaboration among the team.
A close relative of collaboration, this open-minded approach creates a place for ideas to be thrown around and feedback to be considered seriously, even when it comes from those outside of the DevSecOps team. When there’s a problem, whether it be a catastrophic production failure or a small bug, there is going to be a lot of conversation, yelling and likely some foul language. Leaders and team members alike should listen to their colleagues, hear out their solutions and be honest with feedback only after they have fully understood their team’s perspective. The best development shops I’ve seen are those with amazing leadership who keep their mouths shut first, solicit feedback to the experts on their team second, listen third and lastly empowers their team to go out and solve problems in the best way their team sees fit.
3. Reuse to Pick Up Speed
DevSecOps doesn’t need to reinvent the wheel. There are tons of open source tools and software that encourage DevSecOps. Agencies used to proprietary solutions and protected code may realize huge gains when open source tooling can address proven security functions. Hacking together custom tailored solutions is no longer a necessity as the cloud-native open source toolbox is extremely deep. If you need some quick and simple solutions to complex problems, there are a ton of tools out there to help.
Rather than viewing these mindsets as a prescription, you and your agency should think of them as a flexible framework to help determine DevSecOps readiness.
Stay tuned for part two of this blog, where I’ll discuss how being a parent helps your DevSecOps mindset, where innovation begins and the importance of authenticity.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.
Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.
Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.