Rapid Deployment: Why DoD Is Ready for the DevSecOps Era

Laurence Dutton/iStock

Presented by Microsoft Azure Microsoft Azure's logo

Experts from industry offer best practices from the commercial sector for the defense sector’s implementation of DevSecOps.

Late last year, a group of developers at the U.S. Air Force pushed an unusual software update: Using an open source, cloud-based tool for managing software containers, the team uploaded a suite of microservices — all written in modern programming languages — directly onto the legacy hardware of an F-16 fighter jet. 

From the first line of code to the installation, the whole process took just 45 days. The feat was a big win for the Defense Department’s burgeoning DevSecOps strategy, an effort to instill a more modern and secure approach to building software applications, based on rapidly fielding new capabilities and building on them iteratively. 

DevSecOps is a paradigm shift in developing software that has the potential to unlock tech breakthroughs “at the speed of relevance,” as Pentagon leaders have long called for: cloud-native applications, defensive and offensive cyber capabilities, and machine learning and artificial intelligence solutions.  

“Today’s DOD really needs to start building modern applications that leverage information from the edge, as it flows in real-time,” says Sujit Mohanty, chief technology officer for defense at Microsoft, who notes that this project is a prime example of how DevSecOps can be used effectively in the DoD to further the mission as technology advances. “They’re looking at leveraging technologies that are interoperable, scalable, AI-ready and data-driven.” 

DOD faces unique challenges in delivering secure and functional software capabilities to the nation’s warfighters. 

“DOD’s modern apps need to be built to respond to today’s changing mission landscape,” Mohanty says.

And beyond keeping pace with private-sector best practices, there’s something else at stake, as well: The need for DOD to maintain the military’s edge when it comes to global competitors.

“DevSecOps means being able to rapidly deploy capabilities at the same speed that adversaries do,” Mohanty says. 

The DevSecOps Approach

The initial move toward agile development, then DevOps, a focus on iterative development and continuous integration of new capabilities, marked a big shift in both the private sector and in government away from the traditional “waterfall” approach. The traditional approach too often led to some big-budget and schedule-busting IT blunders. 

DevSecOps builds on agile and DevOps, incorporating in additional elements. In the DevSecOps approach, all parts of the IT shop — software developers, the operations team and, crucially, security professionals — collaborate on the development and deployment of software from the earliest stages. 

The new approach has drawn support from defense IT leaders, who launched the DOD Enterprise DevSecOps strategy about two years ago.

The effort aims to streamline the process of building effective DevSecOps teams across DOD by creating not only a DevSecOps playbook but a full-scale software factory of vetted, best-in-breed development tools. 

The idea is to replace many of the cumbersome, manual steps in the software development process with automated methods for conducting security, performance, and integration testing — essentially, creating a reliable pipeline for developing and pushing software releases. 

“One of the biggest pain points that it solves is it brings an automated set of software tooling and services standards,” Mohanty says of the Pentagon’s DevSecOps strategy. “And that allows DOD to enable the warfighter to create, deploy and operate software applications in a secure and flexible fashion.”

Constant Focus on Security

For DOD, security is paramount. An important element of the DevSecOps approach is the early involvement of security specialists — part of what’s known as a “shift left” mentality. 

Not only does the shift-left approach create a system of checks and balances for finding and fixing issues early in the process; it also allows for building in stronger security measures. These measures include not just static scans and analyses but zero-trust architectures, behavior detection and continuous monitoring.

Security remains a continual part of the process beyond just Day One of fielding new capabilities. 

“From day two all the way out to day 365, you’re constantly thinking about security, but you’ve already baked in some of those core aspects from the start,” Mohanty says. 

Building Teams and Processes

Organizations seeking a quick fix for deploying DevSecOps have simply detailed a security analyst or two to an existing DevOps team. That approach is unlikely to succeed. 

Organizations need to integrate DevSecOps into their culture and focus on building a fully integrated, truly cross-functional team, Mohanty says. That requires the necessary leadership buy-in to rethink the traditional org chart and it also requires team members who understand the mission context of what they’re building. 

Without someone who understands how a particular application actually will be used in the field by an end-user, a team risks coding something that meets all the technical specifications but still turns out a clunker. Mohanty likens it to building a bicycle with square wheels. 

In addition to building strong teams, the DevSecOps approach stresses forging collaborative — and reliable — processes. 

The idea of being able to show the end-to-end process as a repeatable process helps rally folks, Mohanty says.

It’s one thing to get an organization to unite around the excitement of a first code push, but “if you make the second and third time just as easy as the first – and continue to make it simpler as it goes forward –  you start to get more organizational stakeholders that start to buy into the idea because this is a sustainable process,” he adds.

Be sure to check out other topics covered in this series:

This content is made possible by our sponsor Microsoft; it is not written by and does not necessarily reflect the views of NextGov’s editorial staff.

NEXT STORY: Top 5 Telework Challenges that Government Agencies Face

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.