IT organizations at federal agencies hear conflicting messages. On one hand, they’re urged to accelerate development of new systems and capabilities to meet rising user expectations. On the other, everyone from the president on down is clamoring for greater system security in the face of a growing barrage of cyberthreats. How can federal IT organizations answer both calls?
Talk with any developer about application security and some themes are likely to emerge. Most will point out the immense pressure they face to deliver end products quickly. As they work to drive speed and innovation across web and mobile applications, security can still seem more nuisance than necessity. In fact, many developers view security as a dreaded chore — one they put off and strive to complete with minimal effort. Though understandable, this viewpoint is increasingly risky given today’s application and threat landscapes.
For federal agencies, security cannot be an afterthought. It needs to be woven into the very fabric of how an agency designs, develops and deploys applications — and DevSecOps is increasingly being viewed as a model for integrating these disparate disciplines into a more holistic approach.
Putting the ‘Sec’ in DevOps
In recent years, DevOps has established itself as a popular and effective way to bridge the gap between developing and operationalizing applications. As DevOps continues to mature, organizations can adopt DevSecOps to more formally infuse security throughout application development, operations and maintenance. It is one of the five key steps agencies should take to enable a cyber resilient enterprise (Defining a Cyber Moonshot, Accenture Federal Services, October 2017).
DevSecOps may sound sensible in theory, but what does it accomplish in practice? At the core, it addresses two enterprise objectives. The first is establishing, maintaining and enforcing a continuous loop of ever-evolving best practices for secure development and operations. The second: integrating security experts into the development process to better understand the steps being taken to safeguard applications and participate directly in tradeoff decisions.
In essence, DevSecOps forward deploys the security audit process — accelerating delivery by closing the loop between secure development and security validation.
Ultimately, DevSecOps can help federal agencies shift away from thinking about and investing in application development (including IT modernization) and cybersecurity as two separate initiatives. They can and, indeed, should be combining development, modernization and security as a single integrated focus with joint decision making.
In doing so, DevSecOps supports critical cultural change. It helps ensure that developers no longer assume security is not their job. Rather, it drives them to bake security into every iteration, every sprint and every code checkin. At the same time, DevSecOps forces business stakeholders to admit that security is, in fact, their concern as well. After all, they are the ones who pay the price when an application is breached.
This change in mindset has important implications for how IT initiatives are funded. Within an agile project, teams always have a running list of desired new functionality, software enhancements and bug fixes. With security as a first-class stakeholder, the same should hold true of desired security features and capabilities. With a DevSecOps approach, security to-dos are integrated with the other wish-list items and prioritized based on their ability to avoid costly issues. For the CISO, this can be their platform to propose and advocate for critical investments. Creating a single funding model with a common backlog and joint decision-making helps ensure that security receives adequate attention among both product management, development and operations personnel. And, it improves an organization’s ability to balance the need for business features with the need for effective security.
Should federal agencies emphasize faster, more innovative development or focus on better security? DevSecOps can help answer both calls. Consider that U.S. Citizenship & Immigration Services (USCIS) is actively investigating this approach and GSA recently published a technology guide to its adoption. And Gartner, as part of its Top 10 Strategic Technology Trends for 2018, stated that “barriers must come down between security and application teams” — with DevSecOps cited as the approach for achieving more continuous and dynamic risk management.
Think of it this way: DevOps enables automation, repeatability, agility and speed across the entire lifecycle. DevSecOps transforms security into another enabler for the business. It’s one of the essential technology pillars needed to establish a strong cyber resilient foundation, one that shifts the balance of power away from our adversaries and tips the scale in our favor.
Gus Hunt is a managing director and leads the Cybersecurity Practice at Accenture Federal Services. He previously served as chief technology officer for the Central Intelligence Agency, where he played a leading role in the agency’s adoption of cloud computing and DevOps.