As the conversation around DevOps, DevSecOps, and Agile continue to grow in government, agencies are flush with resources to aid in the development and deployment of software products that are both modern and secure.
Statistics show that government, often chided for its inability to adapt and change, is now embracing some of the leading software development traits of the private sector.
MeriTalk has tracked FITARA Scorecard data, which shows positive trends for the major Federal agencies in incremental development – the number of software projects delivering functionality at least every six months. When Congress first issued FITARA grades, the average grade in this area was a D. Two years on from that, the grade had risen to a B and has held steady for a further two years, with two-thirds of major agencies now at a grade of A or B.
But building software iteratively and quickly doesn’t always indicate that software is being built securely.
“We as a government weren’t talking about DevSecOps until well after establishment of DevOps efforts,” said Roger Coelho, vice president of public sector at Recorded Future, noting the natural lag between security and agile development.
“Then you have the proactive side [of government], and that’s where the real innovation comes from – from people that are at the forefront of thought leadership within their agencies, and who try new things in order to get ahead of a reactive situation,” Coelho said.
Coelho’s right – government is beginning to talk, and act on it. Being proactive about security is the new focus in government software development. This is the major tenet of DevSecOps, which GSA defines as a “cultural and engineering practice that breaks down barriers and opens collaboration between development, security, and operations organizations using automation to focus on rapid, frequent delivery of secure infrastructure and software to production.”
It’s about getting everyone to think about security, and about “cohesive collaboration between Development, Security, and Operations teams,” again from GSA. It’s not just IT, too. The business side needs to help facilitate the change, and GSA’s Tech Guides are an impressive resource to understand the cultural shift occurring in software, the differences between agile, DevOps, and DevSecOps, and more.
Sonatype’s DevSecOps Community Survey has for several years provided an interesting barometer on development trends. In 2020, Sonatype found that:
- Mature DevOps teams properly integrate automated security tools almost two times more often than immature development practices
- Happy developers are 3.6x more likely to pay attention to security
In spite of this, there are many challenges. Sonatype’s research consistently shows over the past three years that about half of developers know security is important, but don’t have time to spend on it.
The private sector is trying to fast-track the approach, and help government get closer to CI/CD, make everyone the Kessel Run of their agency, and improve mission delivery across the board.
One example is the Secure Software Factory from DLT, a framework and DevSecOps accelerator. DLT CTO David Blankenhorn said the goal was to “ultimately build [government agencies] a toolchain to enable that sort of cultural shift that takes place within a development environment,” leveraging best-of-breed technologies, and automating many of the necessary security processes.
“It provides a framework of automation tools to consistently deploy high-quality, scalable, resilient, and secure software throughout an application’s lifecycle,” added Jim Fitzmaurice, senior sales manager at DLT and Secure Software Factory co-lead.
Like developers short on time, there are a number of different resource constraints that challenge Federal agencies to do more with less, so cost efficiency is another important factor. Fitzmaurice said the Secure Software Factory “aligns with the paradigm shift that [government has] made over the last few years to move toward a bundled solution approach from a procurement standpoint. There’s a significant cost-savings with all agencies when they do that.”
Later this month, MeriTalk will release a report on secure supply chain technologies. Within it, we’ll explore how secure software development is an essential component of a healthy supply chain.