When considering how applications and their development impacts federal agencies and their respective capabilities, two of the most talked-about topics are development models and security. DevSecOps (short for Development Security and Operations) integrates development, security, and operations to create faster, more secure, and more reliable software for federal government agencies. As a result, appropriate security measures are met and addressed early in the development cycle, improving the chances of catching security vulnerabilities and bugs prior to changes.
DevSecOps vs. DevOps
You may have heard the term DevOps in relation to DevSecOps. These cousin processes share many similarities, but with one key difference. While DevOps also streamlines the software development and release process and aligns development with operations, DevSecOps also incorporates cybersecurity, or the development of applications with a focus on safe and secure code. To accomplish this, tight collaboration between development, security, and operations teams is essential.
How Did DevSecOps Evolve?
Historically, software development used a “waterfall” model, or a series of concrete, sequential steps. Teams would first gather requirements, then do development processes, testing, and release. Security was an afterthought, tacked on at the end of the waterfall- this put applications at risk for avoidable security vulnerabilities, and increased the risk for more bugs included in releases to users. Siloed teams and data were also an issue, where teams for development and operations did not interact or work together, instead having discrete functions and data- developers wrote their code and turned it over to the operations team to deploy.
As a result, progress stalled and nobody benefited. Companies needed a way to remove these barriers, foster greater collaboration and increase the velocity of their feature releases.
DevSecOps helps organizations break down walls between developers, security, operations and more importantly, users. Getting the administrators talking to teams that build and secure new service features is critical to success. When these barriers are removed, administrators are more likely to end up with a solution that more accurately reflects their needs. Involving them up front gives them the chance to influence the design early in the process. As a result, they are more likely to end up with a product that more accurately reflects their needs.
Agile Software Development With DevSecOps
Using DevSecOps, companies can realize efficiencies throughout the development cycle. Here’s how the process works:
Developers focus on coding, testing, and security scanning, and their Integrated Development Environments (IDEs) use plugins to scan code and identify bugs and potential vulnerabilities, alerting developers to fix issues. If a developer attempts to upload code to the application’s central code repository with buggy or risky code, their upload fails, and all issues must be fixed before proceeding, thereby minimizing bad code.
Once code is placed in the application’s repository, code is integrated using specialized tools, and automated testing is completed to validate the application is working as expected. If any tests fail, the build will fail and alert developers, ensuring they resolve the issue. When all code passes testing, it’s released to a testing environment for human testers to evaluate.
Delivery and Deployment
At this point, code is manually deployed to a staging environment, and code can be manually deployed to “production”, or combined with existing application code to create new functionality or repair bugs. However, many organizations choose to automate their deployment rather than human intervention at this stage- automated deployment involves using their integration tools to automatically release code into production, meaning it’s in use by the application in real-time.
A note about this process:
DevSecOps isn't a technology in and of itself. It is a cultural shift that encourages collaboration between cross-organizational teams. It is a process that offers speed and resilience in software releases while enhancing the security of the end product.
- Each of these steps ensures testing and security are addressed earlier in the process rather than later.
- Each of these phases is iterative. Unlike the more linear waterfall model each step in the Agile model is iterative, and each stage can be revisited as often as necessary to refine the code.
How DevSecOps Can Benefit Federal Agencies
Interested in bringing DevSecOps to your federal agency? Organizations looking to implement this way of working can leverage Platform One, the first enterprise-level DevSecOps service in the Federal Government. Platform One provides
- “Plug and play” containers for faster release cycles
- Multi-tenant environments for automated continuous integration and delivery
- Standardized development and production
RevaComm helps organizations collaborate, innovate and succeed in their digital transformation efforts. We have cumulative infrastructure and platform knowledge going back to Platform One's inception, and have experienced staff on all four of the framework's value streams. Our team provides a customer-focused approach to software delivery through Human-Centered Design principles.