The only way to successfully build software now and in the future at scale while moving at a pace of relevance is with development, security, and operations (DevSecOps), the chief software officer (CSO) at the U.S. Air Force (USAF) said during a virtual summit held by ATARC on August 31.
By utilizing DevSecOps, the Department of Defense (DoD) can automate security integration at every phase of software and program development and still operating at a pace of relevance. According to Nicolas Chaillan, the USAF CSO, this is critical for cybersecurity needs and to compete in an increasingly digital world.
“You want to fail fast and learn fast so that you do not fail twice for the same reason,” Chaillan said. He added, primarily because the U.S. does not want to be left behind as its adversaries continue to implement DevSecOps strategies within their agencies.
But to practice DevSecOps – an array of purpose-built tools and a wide range of activities that rely on those tools are required – the Pentagon released the Enterprise DevSecOps Initiative in 2018. The program was run jointly between the Office of the Under Secretary of Defense for Acquisition and Sustainment, DoD CIO, USAF, Defense Intelligence Security Agency, and the Military Services. The program brings IT enterprise to the timeliness, modularity, and reuse of DevSecOps practices to onboard and support software.
“The key foundational aspect of the DevSecOps initiative is to ensure that the DoD is not locked into a single vendor or platform by leveraging FOSS (free and open-source software) with Kubernetes and OCI (open container initiative) containers to build both the software factories, but also the mission software that the DoD is building,” Chaillan said.
Additionally, as the Department continues to make significant progress in creating a secure DevSecOps environment and implementing best practices, zero trust remains a fundamental element. The DoD Enterprise DevSecOps Initiative has baked in zero trust into its program, utilizing the Department’s Sidecar Container Security Stack and leveraging behavior detection and zero trust down to the container/function level.