How to Maintain Security in a Fast-Paced DevOps Environment

The U.S. government creates an enormous amount of custom software code, either in-house or through contractors. That code ends up in a variety of business applications used by federal employees. But it’s also created for software that supports military operations, crunches climate data and monitors the international space station.

Regardless of what these applications accomplish, everyone initially goes through several phases, such as planning, design, development and testing.

There are different ways to tackle these phases. A traditional method is to complete each phase successfully before moving to the next, but that takes time.

A faster method is called Agile, where code is developed iteratively. That means development and testing activities are done at the same time. By breaking up work into small chunks, team members can work on different pieces in a continuous development and testing cycle. They track progress using a project management tool, track issues in a central database, and use wikis to share project information and to describe how new features should work. The point is that everyone stays on the same page while working on many different tasks until the application is completed.

After development, the application needs to be rolled out to users. That’s where IT gets involved. IT makes sure the application is available to users, that there is enough bandwidth and storage space, and that performance is analyzed to ensure a good user experience. In an Agile environment, updates may be made to the application regularly to fix issues and introduce new features, resulting in continuous development, testing and delivery.

The notion of DevOps was hatched to help developers and IT staff communicate and collaborate. In a DevOps environment, the people who write code using an Agile approach work closely with the people who deliver and support that code, making the entire process more efficient and collaborative.

Whether an app is designed for general use or is mission-critical to an agency, DevOps must be secure. Not only should the application be secure, but the entire development environment must be secure as well.

Government agencies comply with security regulations and standards just like the private sector. For example, the Federal Information Security Modernization Act, or FISMA, deals with security threats, controls and best practices. NIST 800-53 defines many security and privacy controls required for federal information systems and organizations. A security control, by the way, is any type of policy, procedure or solution that protects people, property, or data. A door lock, antivirus software and a firewall are kinds of security controls.

Security experts agree that the best defense is a layered defense, where several security controls are in place simultaneously. But some security controls, by their nature, can slow down users. In a DevOps environment, the key is to provide security without compromising speed and agility.

This article is an excerpt from GovLoop Academy’s recent course, “How to Maintain Security in a Fast-Paced DevOps Environment,” created in partnership with Atlassian, Carahosft and Go2Group. Access the full course here.

Leave a Comment

Leave a comment

Leave a Reply