Ian Fogarty is a managing director at Accenture Federal Services for technology and operations. Patrick Lardieri is a senior fellow at Lockheed Martin.
In the complex threatscape of 2021, where the software supply chain itself is an attack vector, it is more important than ever that organizations have the right processes and tools in place to detect security vulnerabilities before software is deployed.
Fortunately, over the past few years, one software development best practice has emerged as a way to do that. Although implemented differently from place to place, DevSecOps has allowed organizations in industries as different as defense, telecommunications, and retail to shape and scale their use of technology at breathtaking pace — maximizing both the speed of software deployment and the reliability and security of operations.
How DevSecOps Enables Rapid and Affordable Software Security
DevSecOps uses the continuous integration and continuous deployment (CI/CD) DevOps software pipeline, but adds a series of automated security measures and controls like code quality checks and application security scans, to produce mission-critical systems securely and at the speed required to keep up with evolving threats.
There’s an old joke about project management: You can get it good, fast, or cheap — pick any two. The Project Management Institute calls that the triple constraint: scope, schedule and cost all play off against each other. The new triple constraint for software product management is playing speed, security, and functionality against one another. Through its use of automated security tools, DevSecOps eliminates that constraint, getting maximum functionality at software speed while meeting rigorous security requirements.
Done right, DevSecOps ensures the integrity of software, even as it is continuously integrated and deployed. By using vetted, ATO-accredited tools in a secure development environment, DevSecOps offers DoD leaders a way to get new capabilities to front line personnel as quickly as updates can be pushed out to your phone. The automated security testing tools used in DevSecOps generates the data needed for security posture and compliance requirements. This means CI/CD pipelines with appropriate security controls and guardrails will automate the kind of continuous ATO accreditation that DoD has been piloting.
No wonder the office of the DoD Chief Information Officer has declared that “DevSecOps is the industry best practice for rapid, secure software development.”
To make this cutting-edge technology available to the United States military, the DoD has built a series of software factories, like Platform One, leveraging commercial DevSecOps pipelines for military applications. These factories can provide new capabilities for DoD software within days or weeks, rather than the months or years it has traditionally taken.
But these DevSecOps factories, like all modern software and IT infrastructure, rely on an ecosystem of suppliers — COTS products, external libraries, open source frameworks, not to mention the many vendors providing software development. These ecosystems create external dependencies and supply chain risk. That’s not unique, of course, to these factories. Many larger products and systems used by the DoD also integrate deliveries from external vendors and other government organizations.
In the software factories, that risk is currently being managed by bolting on the security requirements afterwards, through accreditation of delivered products.
How DevSecOps Can Be Extended Up the Software Supply Chain
Instead, DoD leaders need to bake security requirements in — pushing accredited and vetted DevSecOps tools and processes further up the supply chain, out into the ecosystem of suppliers. These delivery “on-ramps” allow integration, scans, and vetting to be done externally, significantly reducing compliance risk.
A controlled cloud environment provides the necessary separation and isolation from the core integration factory, test, and production environments. Agreements protect supplier intellectual property, while enabling DoD needed access to source code for security assessments.
Large retailers have famously pushed supply chain requirements upstream — demanding suppliers pack pallets or display barcodes a certain way, and even manage their own inventory in warehouses. Suppliers are willing to comply, because the revenue they receive from doing business with these organizations dwarfs any costs they incur meeting their requirements.
Recent changes to DoD acquisition rules, and the new Cybersecurity Maturity Model Certification, show the determination of defense leaders to enhance the security of the software development supply chain. But these policies leave implementation up to each partner organization.
DevSecOps provides a ready-made process and infrastructure to implement these policies within a supplier’s software development activities. Through the use of automated tools, every member of the ecosystem can move down their own path while meeting the DoD’s security and mission requirements.
To build that conveyor belt, DoD leaders need to leverage the technical expertise developed in the highly complex and scalable commercial environments in which DevSecOps emerged. They need industry partners who have transformed their software supply chain so that software deliveries, infrastructure, and code integration and deployment are automated and vetted. Who have realized the enormous value of blowing away the new triple constraint.