U.S. Federal Government: Scaling DevSecOps for Secure Application Development
Managing rapid application delivery with secure development has long been a major challenge for U.S. federal government agencies. Part of the reason was the constant need to introduce new features and functionality while security wasn’t completely integrated. Or, it was handled by security experts who relied on patchwork once development was complete. However, agencies are starting to learn that the consequences of security breaches can be far-reaching.
Thankfully, the federal government has significantly increased cybersecurity spending to address threats.
- The combined spending for cybersecurity was US$14.9 billion in 2018, of which the Department of Defense (DoD) used over US$8 billion.
- The Department of Homeland Security (DHS) was the second-highest user of funds earmarked for cybersecurity at US$1.8 billion.
As the agencies continue to build or acquire new tools and software, it will be imperative to build a stronger infrastructure and focus on secure software development.
What exposes federal government agencies to cybercrimes?
There are many factors that contribute to the risk an agency faces from cybercriminals. Inadequate security practices, unknown assets, weaknesses in code design, and unpatched vulnerabilities can significantly increase the risk.
As per the DHS, around 90 percent of the cyber crimes are a result of vulnerabilities exposed from a defect in the software code or design.
Detecting and fixing these vulnerabilities at a later stage can be costly and expose other connected applications to security risks. That’s why it is important to increase the overall quality of software by making security a priority from the beginning rather than relying on patchwork.
However, infusing security into the software development process can be time-consuming and delay the deadlines. In addition, the Authority to Operate (ATO) process that allows entities to connect systems to the federal networks can further elongate the software development life cycle.
So, how exactly can a government agency keep up with security while managing tight deadlines?
How you can ensure application security
Now that we know what’s leading to the cyberattacks within the federal government agencies’ networks, let’s discuss some of the challenges these agencies face in secure development.
- Manual processes: To minimize security vulnerabilities, new solutions and software fixes have to undergo rigorous testing against established internal standards to obtain an ATO. Some of these standards, such as NIST 800-53, contain more than 1,000 controls. Using manual processes to verify against such a large number of controls significantly delays the development.
- Skills shortage: Security experts are scarce which makes it difficult to support the development process throughout. Usually, agencies prefer to utilize these experts for higher-value vulnerabilities and get help from other resources to verify regular security controls. This can make the development process longer since everyone isn’t experienced enough to complete these tasks.
- Remediation: Reactive actions like penetration tests and software scans not only delay the delivery deadlines but can also be more expensive to manage. That’s why many agencies are shifting left to include security at the beginning of the development process.
Keeping in mind these challenges, it’s vital for federal agencies to think about security in conjunction with development and automate manual processes through balanced development automation tools.
How the DoD is scaling DevSecOps for cybersecurity
In 2019, the DoD initiated a massive effort toward software development that would help its agencies avoid traditional disasters. Established as the DoD Enterprise DevSecOps Initiative, this initiative intends to combine development, security, and operations across the DoD.
The idea behind this initiative is to utilize modern tools and best practices to provide secure and timely software for the warfighters. And, their inspiration came from the wins of Kessel Run — a project started by the U.S. Air Force (USAF) to learn agile software development.
In its reference design document, DoD explains how DevSecOps will “improve customer outcomes and mission value by automating, monitoring, and applying security at all phases of the software lifecycle: plan, develop, build, test, release, deliver, deploy, operate, and monitor. Practicing DevSecOps provides demonstrable quality and security improvements over the traditional software lifecycle.”
As a part of this program, the DoD also aims to push for continuous ATO, which will enable its software factories and service providers to push software updates and solutions immediately to the network without having to go through the security validation every time. But it’s also important to make the ATO process fast which can usually take from 6 months to a year for completion.
How to build secure software
Building security from the beginning is one of the core focuses of DevSecOps and the DoD’s new initiative. However, implementing security measures in the development cycle involves a lot of effort in understanding various regulations and controls which might delay the process.
An easier way to manage some of these tasks would be to automate a significant portion of the manual processes. When security standards are translated into actionable tasks, it will enable developers to not lose focus or spend a lot of time grasping security concepts. This will ensure the secure development of applications while maintaining the speed of the process.
If you develop applications or acquire it from service providers, you can’t ignore the benefits that come with building security into development. Rather than taking reactive actions to fix security flaws later, it’s always better to ensure compliance from the moment you start building.
Download our datasheet to learn how DoD's software factory automates security processes for continuous ATO.