Successful DevSecOps Starts With Trust, Government Experts Say


The pandemic forced new ways of thinking in government software development.

The software development lifecycle begins the moment a person has a bright idea about a new application. If the developer trusts that security professionals want to improve its creation, rather than think they just impose roadblocks, bringing the idea to fruition will run much more smoothly.

This is a key takeaway from the Advanced Technology Academic Research Center webcast Jan. 13 on “Fostering Effective DevSecOps with Modern Application Security.”

Greg Edwards, CISO for the Federal Emergency Management Agency, said that when the requirements for a new software application are developed, the security requirements should be included.

“We all know this, but why haven’t we embraced this more fully?” Edwards said. “It’s the trust factor, and it’s the timelines. Sometimes it’s difficult to wedge in security in those milestones … Understanding that security will affect the implementation timeline [means] we have to talk about software development.”

Christopher Crist, Chief of Development, Security, and Operations, U.S. Transportation Command, said there are two ways that including security in the development process have to be considered. “There’s the technical perspective of inserting security, [and] incorporating the security experts, the human resources, as well.” But most security staffs are siloed away from the developers, he said.

Nicole Willis, CTO for the Office of Inspector General, Department of Health and Human Services, said the increased focus on security represents a big culture shift.

“We’re implementing security at all levels of projects, from planning [on to release],” Willis said. “We’re embedding security in our DevOps team. It’s important that they have that security mindset in place as they develop the projects.”

The onset of the pandemic, forcing many federal employees to work from home, reinforced the importance of incorporating security from the outset, Edwards said.

“’Oh, you’re working from home. [How] can I allow you to do all those things?’” he said. “But we discovered we are already doing them, just not at scale.”

Edwards said allowing employees to use their printers at home was a particular challenge, because his office was focused on knowing all the assets on FEMA’s networks. “In the end, we had to adjust our risk-based thinking to allow more people to work from home.”

He said one tool he would like to see is something that would visualize the security compliance of multiple software development programs in one place.

“We have over a hundred programs that we’re managing through the lifecycle, and they are all in various stages of being compliant,” he said. “Spreadsheets are not the answer. I hate spreadsheets.”

Edwards also asked for “some capability that would allow us to prevent some assets being connected to the enterprise,” such as USB drives. “We have 10 regions, each with its own IT department. [We need] some automated way of managing the ability of someone who has system administrator privileges from making changes … The shift to the cloud helps with that, but we’re not all in that environment today.”