Building a DevSecOps Culture

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity.

A key methodology for achieving the government’s goals is DevSecOps. This set of tools and best practices brings together the development, security and operations teams to collaborate on software that incorporates security every step of the way. DevSecOps provides agencies with a clear roadmap for building and testing, deploying, and monitoring applications, as well as continuously delivering updates. By boosting efficiency and easing the security burden on developers, DevSecOps also has a positive effect on the employee experience, which can help agencies retain talented professionals. In FCW’s survey, a total of 73% of respondents said their agencies were developing or implementing a strategy for using DevSecOps, and 9% have fully embraced the methodology.

The wealth of government guidance can help agencies overcome the cultural and technological challenges to building a strong, innovative DevSecOps culture, but it’s worth remembering that DevSecOps is not the final destination. Read the latest insights from industry thought leaders in DevSecOps, including:

• Alex Barbato, public-sector solutions engineer at VMware, explains how, once the development, security and operations teams are aligned, agencies can move forward on modernization.
• Robert Larkin, senior solutions architect at Veracode, explores the generative AI technology that takes the guesswork out of fixing unsecure code before applications are deployed.
• Chris Mays, staff specialist solutions architect at Red Hat, details why a pervasive view into far-flung networks is critical, and how next-generation packet brokers can help achieve that visibility.
• Ben Straub, head of public sector at Atlassian, explains how incorporating best practices for collaboration and tooling diversity can transform an agency’s capacity for success.
• Willie Hicks, public-sector chief technologist at Dynatrace, details how using AI-driven observability throughout the software life cycle ensures the ongoing performance and security of applications.
• Zack Butcher, founding engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A, explores the infrastructure layer that's a key tool for enforcing security standards and limiting the damage an attacker can do.
• Joel Krooswyk, federal CTO at GitLab, details why automation is evolving from identifying vulnerabilities to providing seamless, AI-assisted developer workflows.
• Kyle Tobener, head of security and IT at Copado, explains how a low-code platform can accelerate the delivery of innovation while ensuring secure and bug-free software.

Read more insights from Carahsoft and our DevSecOps partners when you download the full report: