Rapid Deployment: Why DoD Is Ready for the DevSecOps Era

Late last year, a group of developers at the U.S. Air Force pushed an unusual software update: Using an open source, cloud-based tool for managing software containers, the team uploaded a suite of microservices — all written in modern programming languages — directly onto the legacy hardware of an F-16 fighter jet. 

From the first line of code to the installation, the whole process took just 45 days. The feat was a big win for the Defense Department’s burgeoning DevSecOps strategy, an effort to instill a more modern and secure approach to building software applications, based on rapidly fielding new capabilities and building on them iteratively. 

DevSecOps is a paradigm shift in developing software that has the potential to unlock tech breakthroughs “at the speed of relevance,” as Pentagon leaders have long called for: cloud-native applications, defensive and offensive cyber capabilities, and machine learning and artificial intelligence solutions.  

“Today’s DOD really needs to start building modern applications that leverage information from the edge, as it flows in real-time,” says Sujit Mohanty, chief technology officer for defense at Microsoft, who notes that this project is a prime example of how DevSecOps can be used effectively in the DoD to further the mission as technology advances. “They’re looking at leveraging technologies that are interoperable, scalable, AI-ready and data-driven.” 

DOD faces unique challenges in delivering secure and functional software capabilities to the nation’s warfighters. 

“DOD’s modern apps need to be built to respond to today’s changing mission landscape,” Mohanty says.

And beyond keeping pace with private-sector best practices, there’s something else at stake, as well: The need for DOD to maintain the military’s edge when it comes to global competitors.

“DevSecOps means being able to rapidly deploy capabilities at the same speed that adversaries do,” Mohanty says. 

The DevSecOps Approach

The initial move toward agile development, then DevOps, a focus on iterative development and continuous integration of new capabilities, marked a big shift in both the private sector and in government away from the traditional “waterfall” approach. The traditional approach too often led to some big-budget and schedule-busting IT blunders. 

DevSecOps builds on agile and DevOps, incorporating in additional elements. In the DevSecOps approach, all parts of the IT shop — software developers, the operations team and, crucially, security professionals — collaborate on the development and deployment of software from the earliest stages. 

The new approach has drawn support from defense IT leaders, who launched the DOD Enterprise DevSecOps strategy about two years ago.

The effort aims to streamline the process of building effective DevSecOps teams across DOD by creating not only a DevSecOps playbook but a full-scale software factory of vetted, best-in-breed development tools. 

The idea is to replace many of the cumbersome, manual steps in the software development process with automated methods for conducting security, performance, and integration testing — essentially, creating a reliable pipeline for developing and pushing software releases. 

“One of the biggest pain points that it solves is it brings an automated set of software tooling and services standards,” Mohanty says of the Pentagon’s DevSecOps strategy. “And that allows DOD to enable the warfighter to create, deploy and operate software applications in a secure and flexible fashion.”

Constant Focus on Security

For DOD, security is paramount. An important element of the DevSecOps approach is the early involvement of security specialists — part of what’s known as a “shift left” mentality. 

Not only does the shift-left approach create a system of checks and balances for finding and fixing issues early in the process; it also allows for building in stronger security measures. These measures include not just static scans and analyses but zero-trust architectures, behavior detection and continuous monitoring.

Security remains a continual part of the process beyond just Day One of fielding new capabilities. 

“From day two all the way out to day 365, you’re constantly thinking about security, but you’ve already baked in some of those core aspects from the start,” Mohanty says. 

Building Teams and Processes

Organizations seeking a quick fix for deploying DevSecOps have simply detailed a security analyst or two to an existing DevOps team. That approach is unlikely to succeed. 

Organizations need to integrate DevSecOps into their culture and focus on building a fully integrated, truly cross-functional team, Mohanty says. That requires the necessary leadership buy-in to rethink the traditional org chart and it also requires team members who understand the mission context of what they’re building. 

Without someone who understands how a particular application actually will be used in the field by an end-user, a team risks coding something that meets all the technical specifications but still turns out a clunker. Mohanty likens it to building a bicycle with square wheels. 

In addition to building strong teams, the DevSecOps approach stresses forging collaborative — and reliable — processes. 

The idea of being able to show the end-to-end process as a repeatable process helps rally folks, Mohanty says.

It’s one thing to get an organization to unite around the excitement of a first code push, but “if you make the second and third time just as easy as the first – and continue to make it simpler as it goes forward –  you start to get more organizational stakeholders that start to buy into the idea because this is a sustainable process,” he adds.

Be sure to check out other topics covered in this series:

• Ways to Jump Cultural Hurdles to Realize Effective Government DevSecOps
• Shifting Left: How DevSecOps Strengthens Agency Security and Risk Management
• How Public Sector Developers Can Achieve DevSecOps Through Collaboration and Open Source Tool
• Government Innovation, Readiness Will Require More than Just DevOps
• Breaking Down Silos: DevSecOps Makes Security Everyone's Business