Like government agencies and organizations in other sectors, the Defense Department (DoD) in many ways runs on software. “Software has become one of the most important components of our nation’s weapons systems, and it continues to grow in importance,” according to a 2018 Defense Science Board report examining the design and acquisition of DoD software.
Software drives program risk on about 60% of acquisition programs, the report notes, which underscores the importance of incorporating security from the start. “Design and acquisition decisions at the beginning of the software development process frequently have far-reaching and longterm effects,” the board said.
In one important way, time works against software’s effectiveness. Traditional waterfall practices can take a year or more to deliver usable software, which can leave DoD far behind the curve in a fast-moving world. Agile development speeds things up, but not enough. The Enterprise DevSecOps Initiative states plainly that legacy processes lack the agility to deploy new software “at the speed of operations” and leaves security as an afterthought, sewn in after a software application has been developed.
In short, traditional software development methods just aren’t good enough anymore. What DoD needs are programs with “the ability to rapidly field and iterate new functionality in a secure manner, with continuous oversight based on automated reporting and analytics, and utilize [DoD Information Assurance Certification and Accreditation Process]-accredited commercial development tools,” according to the initiative’s reference design document.
DevSecOps, which is now established as the “industry best practice for rapid, secure software development,” presents the optimal path for DoD and other organizations, according to the document. Its continuous testing and delivery puts updates and new applications into use swiftly, potentially giving DoD a decided advantage over adversaries.
But doing DevSecOps effectively involves more than just deciding to do it. “Current law, regulation, policy and internal DoD processes make DevSecOps-based software development extremely difficult, requiring substantial and consistent senior leadership involvement,” the Defense Innovation Board’s 2019 SWAP Study states. “Consequently, DoD is challenged in its ability to scale DevSecOps software development practices to meet mission needs.” It requires a cultural change, which starts at the top.
Solution: Deliver Incremental Value Through DevSecOps
DevSecOps offers dramatic advantages in the speed of development. “In a traditional waterfall scenario, delivered value is zero until the initial release of the product,” Kevin Griffith, Senior Director for DoD Sales at Red Hat, said. “With DevSecOps, features, and thus value, are produced iteratively, in small increments. This means that, while the first iteration that can be released might not be as impactful as the first release from a waterfall release schedule, the value is fielded far sooner, and continues to add value through the iterative steps of additional releases.”
The SWAP Study provided some examples of DevSecOps’ advantages. For example, it found that the time for Initial System Authorization fell from 12 months under legacy processes to three months with DevSecOps.
In addition to software development, DevSecOps also supports the use of Other Transaction Authority (OTA) agreements, which allow DoD and other federal agencies to collaborate with nontraditional businesses on cutting-edge projects, so they can work together with industry partners on new, innovative capabilities.
“DevSecOps pairs perfectly with these goals,” Griffith said. “Agencies can demonstrate the advantages of a leaner, more agile acquisition strategy for DoD through a DevSecOps engagement using an OTA vehicle.”
Project leaders can home in on the most valuable aspects and more easily course-correct throughout development. “In the end, a DevSecOps methodology will show greater time to value and more focused value to DoD, which should naturally lead procurement and acquisition to prefer a leaner, more flexible process,” he said.
This article is an excerpt from GovLoop’s recent report, “DevSecOps: Deploying Software at Speed of Operations.” Download the full report here.
Photo credit: Defense Department Flickr