For agencies to realize the full benefits of DevSecOps, they need to apply the DevOps tenet of continuous delivery both to software and security
This is a big change from a traditional development environment in which security typically operates as a separate function that comes into play at key points in the development life cycle. In that model, security also is seen as a drag on the development process and an obstacle to innovation.
Agencies can avoid those pitfalls by fully incorporating security into the DevOps process and, more importantly, into the daily workflow of their developers.
To learn more about this, GovLoop spoke with Michael Ducy, Cloud-Native Transformation Specialist at Red Hat. He discussed three ways agencies can reduce risk and improve compliance while also driving innovation.
Let Developers Drive Innovation
When it comes to security, IT experts often talk about the importance of “shifting left,” that is, addressing security earlier in the development life cycle. But it’s not just security that shifts left with DevOps.
In traditional IT environments, developers were expected to adhere to a detailed IT architecture, which was updated periodically. To take advantage of today’s rapid rate of innovation in technologies and architectural approaches, agencies need to give developers more leeway to decide what languages, toolsets and capabilities they might need to build an application, said Ducy.
“Keeping the state of innovation at the development level is very important, because it helps you further down the line, as you’re trying to reach your customer, or your user, in this new digital world,” he said.
Let Developers Drive Security
Because the DevOps environment is so dynamic, security can keep up only if it is fully integrated into the day-to-day work of developers.
In this environment, the security team plays more of a consulting role, helping developers understand security requirements “so that they can make better choices in the future as they go through this more modern way of working,” Ducy said.
Establish a Trusted Software Supply Chain
Integrating security into the development process provides the foundation for building what Red Hat calls a trusted software supply chain (TSSC).
With a TSSC, all stakeholders can be confident that security, compliance and privacy requirements are addressed throughout the software development life cycle. Such trust is essential to accelerating a program’s ability to achieve authority to operate.
Many pieces must come together to build a TSSC, and it won’t be easy if agencies take a piecemeal approach, said Ducy.
“With the Red Hat OpenShift Container Platform, we provide a complete holistic solution that enables you to build a trusted software supply chain rapidly and to onboard new teams quickly to start working in this way,” he said.