For the Defense Department (DoD), the baseline reality is that its software acquisition process hasn’t been keeping pace with warfighters’ needs, particularly when the commercial sector — and adversaries — push new capabilities into use quickly. DoD has traditionally relied heavily on waterfall development, a methodology that delivers new software about every three to 10 years, according to a DoD presentation. Additionally, DoD’s Authority to Operate (ATO), a formalized accreditation process burdened with manual testing, can take eight months or longer to accredit software, further delaying speed to mission.
Practically everything in DoD today is a software system, from weapons and aircraft to logistics and communications. The F-35 Lightning II aircraft, for example, has more than 8 million lines of code in the fighter itself, and 24 million lines if you count its ground-based Autonomic Logistics Information System (ALIS). Because so many of DoD’s systems rely on software, continual updates are necessary to keep systems running smoothly, as the Government Accountability Office noted in a report last year. Traditional, glacial processes of acquisition and development won’t cut it.
That has led DoD, like organizations in other sectors, toward Agile development — a collaborative process that breaks down software projects into development sprints — and DevOps, an organization-wide set of principles, practices, and tools that includes Agile and should enable automated testing and continuous delivery. DevSecOps, so named because it combines software development, security and IT operations, puts DoD’s other priority — security — into the mix from the beginning, engaging developers, users, security teams and others.
“Fundamentally, it’s being willing to change the way we do things for the better,” said Joseph McKairnes, DoD Senior Federal Solutions Architect for GitLab. “In years past, taking months or years to adapt to a threat was practical. Threats to our nation were typically from entire countries – we knew who they were and could deal with them accordingly.
“For the DoD today, the threat landscape is ever-changing — with so much reliance on connected systems and software, new threats are constantly appearing, and from unknown entities. The DoD needs to adapt to this in minutes or hours at a minimum,” McKairnes said.
One goal of the DoD Enterprise DevSecOps Initiative is to reduce application timelines from months or years, common with waterfall development, to weeks, days, hours or even minutes. This exceeds even the months-or-weeks model of Agile development. The ultimate goal is to put the tools and process through an ATO process so that the software created is already authorized to operate and can be immediately deployed.
DevSecOps uses automation in every stage of development and delivers software to the cloud via open source containers with Kubernetes orchestration, which automates deployment and management of containers. The whole process is enhanced by Knative, a Kubernetes-based platform to build, deploy and manage modern serverless workloads. The containers allow for baked-in security, including behavior detection and zero trust, through its Sidecar Container Security Stack. A DoD Centralized Artifacts Repository (DCAR) provides a store of hardened and centrally accredited containers. The use of open source containers avoids vendor lock-in with cloud providers.
The process of implementing DevSecOps however, can be complex. It has 10 functional areas for which developers typically would have to procure and train for 15 to 30 products, which can dramatically slow the process.
Because it is a single application for the entire DevOps life cycle, GitLab shortens that process significantly. For example, automated security scans are complete as soon as a developer pushes code to the repository, allowing them to identify and address vulnerabilities immediately. Scanning while the developer is still engaged in the coding allows real-time proactive remediation of potential security vulnerabilities.
The GitLab solution is pre-authorized for use within DoD, which can help shorten the ATO process. It also allows Common Access Card (CAC) and Personal Identity Verification(PIV) authentication, enabling a single-sign-on (SSO) approach that further saves time.
This article is an excerpt from GovLoop’s recent report, “The Right Application Platform Can Help DoD Develop Its DevSecOps Culture.” Download the full report here.
Photo credit: U.S. Air Force