This blog post is an excerpt from our recent e-book created in partnership with Red Hat, Integrating Security from End to End with DevSecOps. To download the full report, head here.
DevOps is taking off in government project management today.
But where is security in this growth? According to a Gartner report, by 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.
Given the advance of cyberattacks and security issues throughout government today, this focus on security needs to continue – and it makes it more important than ever that security teams are incorporated into the DevOps culture that is developing. This leads to DevSecOps – meaning thinking about application and infrastructure security from the start.
To learn more about how DevSecOps can evolve in government, and how open source can drive that evolution, GovLoop spoke with Dave Cohn of Red Hat. Red Hat is a leader in open source technology for government.
Cohn noted that DevOps isn’t just about development and operations teams. If you want to take full advantage of the agility and responsiveness of a DevOps approach, IT security must also play an integrated role in the full life cycle of your apps. Effective DevOps ensures rapid and frequent development cycles (sometimes weeks or days), but outdated security practices can undo even the most efficient DevOps initiatives.
That’s why open source needs to come in, Cohn explained. DevSecOps relies on a culture of collaboration that values openness and transparency. Implementing DevSecOps means applying open source principles and practices because the cultural values of DevSecOps are tightly intertwined with the values of open source communities and agile approaches to work.
“Open source is the fastest way to drive innovation, especially through the government, and making use of enterprise-grade, secure and hardened open-sourced products,” Cohn said. “That’s how you really accelerate the use of DevSecOps and get moving fast on innovation.”
That’s where Red Hat and their OpenShift platform comes in. As agencies move toward cloud environments, DevSecOps, and modern architectures, microservices and containers have become an essential utility. Containers have broad appeal because they allow users to easily package an application with all its dependencies into a single image that can be promoted from development to test environments and production—without change. Agencies now face the challenges of keeping their containers secure and trying to deliver DevSecOps.
OpenShift is a family of containerization software developed by Red Hat that addresses the security issues.
“Red Hat OpenShift Container Platform is designed with DevOps teams in mind, letting you automate the container application life cycle and integrate security into the container pipeline,” Cohn said.
“Security isn’t an afterthought, it’s continuous in the process,” Cohn said. “And that’s what it means to really do DevSecOps. As long as you have developers, security, and operations working together cohesively, you’re going to be in a good place.”
Download the full e-book to learn how DevSecOps highlights the need to invite security teams at the outset of DevOps initiatives to build in information security and set a plan for security automation.