Building a DevSecOps Culture

Posted on by Rich Savage

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity. Learn how you can implement DevSecOps to support your journey to secure, innovative software in Carahsoft’s Innovation in Government® report.

The Mindset Shift that Enables DevSecOps

“In an ideal world, technology and processes support team members’ ability to deliver on their particular talents. Before agencies implement DevSecOps methodologies, they should identify where their processes are getting bottlenecked and forcing people to either work around them or fundamentally change their behavior. Instead, we want to make it easy for employees to do the right thing. The goal is to enable people to focus on what they do best — regardless of where they operate in the stack or the tools they are using — so that agencies can build and deploy secure, modern apps.”

Read more insights from Alex Barbato, Public Sector Solutions Engineer at VMware.

How Generative AI Improves Software Security

“Generative AI tools are becoming increasingly prevalent, providing interactive experiences that captivate the public’s imagination. These tools are accessible to anyone, offering a unique opportunity to engage and explore the creative possibilities enabled by AI technology. The technology doesn’t just train a model to recognize patterns. It can create things that are easy to understand: images, text, even videos. Sometimes the results are hilariously wrong, but other times the results are quite impressive, such as clear, concise answers to complex questions. Generative pre-trained transformer (GPT) technology, such as ChatGPT, has opened the doors for everyone to be an evaluator because the output is accessible and easy to critique.”

Read more insights from Robert Larkin, Senior Solutions Architect at Veracode.

Open Source is at the Heart of Software Innovation

“Embedding security into applications from the start is essential for streamlining and strengthening the entire development life cycle. Securing the software supply chain is a related effort that is of vast importance to government operations. Beyond securing individual applications, the ultimate goal is to build security into the pipeline itself. At each step and every handoff, we must be able to verify who has touched the software and who did what to ensure that the end result is what we intended to build and that nothing malicious has been injected along the way.”

Read more insights from Chris Mays, Staff Specialist Solutions Architect at Red Hat.

DevSecOps Needs Tool Diversity and Collaboration

“As DevSecOps methodologies and software factories grow in prevalence, agencies are recognizing that software development is a team sport — inside the agency, across departments and with external stakeholders. It touches many different teams, but getting everyone on the same page with tooling can be difficult. Different teams prefer different tools, and that makes collaboration hard. Modern software development brings security practices forward in the timeline while reducing duplication of efforts and improving real-time accountability. Success hinges on removing blockers, creating visibility and making sure collaboration is happening at every stage. In addition, encouraging input from different areas of the organization from the beginning and throughout development is vital for innovation.”

Read more insights from Ben Straub, Head of Public Sector at Atlassian.

Observability Speeds Zero Trust and Application Security

“In response to increasing cyberthreats, the government is speeding up the move to zero trust. This security model assumes that every user, request, application and non-human entity is not to be trusted until its identity can be verified. Zero trust principles require a layered defense that is more effective when rooted in observability. To develop an architecture that validates and revalidates every entity on the network, it is necessary to know what those entities are, how they’re communicating and how they typically behave so we can recognize deviations. Zero trust and observability technologies work together to create a more secure and resilient network environment by assuming that all requests for access are untrusted and continuously monitoring the network to detect and respond to potential threats.”

Read more insights from Willie Hicks, Public Sector Chief Technologist at Dynatrace.

The Role of a Service Mesh in Zero Trust Success

“For large companies and government agencies, it’s safe to assume that a committed attacker is already inside their networks. Executive Order 14028 mandates that every federal agency develop a Zero Trust architecture because it is the most effective approach to mitigating what attackers can do once they’ve made their way inside. What does Zero Trust look like at runtime? One of the key considerations is identity-based segmentation, which involves conducting five policy checks for every request in the system: encrypted connection between service endpoints, service authentication, service-to-service authorization, end user authentication, and end user-to-resource authorization.”

Read more insights from Zack Butcher, Founding Engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A.

AI and the Journey to Secure Software Development

“By automating and optimizing DevSecOps workflows, we can still shift security left while relieving developers from the burden of some complex remediation. It begins with a workflow that leverages fully automated security scanning to rapidly identify vulnerabilities as well as providing suggested remediation for vulnerabilities and on-demand remediation training to educate developers on what they are getting into. The rapid evolution of artificial intelligence is making new advances possible. The opportunities go well beyond AI-assisted code creation. AI features are being expanded across the entire software development life cycle. When it comes to security, having AI assist by making code functionality clear or explaining a vulnerability in detail reduces the time required to remediate risk.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

Scaling App Development While Meeting Security Standards

“The dream for any software development team is constant, stable releases. The faster teams get the work they’ve created into production, the faster the agency can derive value from that work. When app development is stymied by cumbersome security reviews and stability testing and by the need to wait for a deployment window, innovation is stifled and the return on investment is delayed. If agencies want to have efficient, value-driving software development teams, those teams must be able to move with agility. A trustworthy, scalable DevOps pipeline that brings together testing and security in a seamless way allows teams to push out new apps and improvements quickly so government employees and citizens can have a seamless digital experience and the most up-to-date tools and information.”

Read more insights from Kyle Tobener, Head of Security and IT at Copado.

Join us in-person for our must-attend DevSecOps Conference—an exciting day of exhibits, speaking sessions, and networking events. We look forward to showcasing new DevSecOps updates from our supporting panels featuring government, systems integrators, and industry thought leaders.

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

Speed Your Agency’s Software Deployments in 6 Easy Steps

Posted on by Jim Dodson

Slow, bottlenecked, and often archaic release methods challenge most government agency software delivery teams. But enterprise feature management can help your agency achieve faster releases with less risk.

Enterprise feature management provides teams with total control over application features, fine-grain release targeting, and detailed audit logs. It starts with feature flags, a powerful tool that allows your development teams to turn features on or off without requiring a code change or deployment. They are a modern solution to traditional hard-coded boolean flags custom-built for each app. With an enterprise feature management platform, you can use a pre-set feature flag enterprise framework to define and operate a simple and seamless experience. This delivers a host of benefits that, among others, dramatically streamlines and accelerates software delivery. It also empowers teams to roll out new functionality gradually and selectively rather than all at once. And, your agency can “dark launch” a feature in production, reducing dependencies on expensive and custom staging environments.

Here are six steps that government agencies can take to get started with LaunchDarkly Federal, the only FedRAMP-authorized feature management platform. These steps will help you understand how to use feature management for high-speed, low-risk software releases of legacy and new applications:

1. Put in place the LaunchDarkly SDK to enable feature flagging

LaunchDarkly’s Software Development Kits (SDKs) allow your developers to implement and share feature flags quickly and easily across software applications. They provide an easy way to connect new and existing applications to the LaunchDarkly SaaS platform. Simply include your programming language-specific LaunchDarkly SDK into your application to get started. The SDK initializes to a specific environment, manages default values and targeting contexts, handles any connectivity issues, and listens for feature status and rule changes. SDKs provide the support for real-time application updates without the need to deploy new code.

2. Identify your environment(s)

In traditional release motions, government agencies identify and set up numerous development, testing, and production environments. Not only is each environment often expensive, but running a release through so many gates can be a significant challenge for resource-strapped teams. It is almost impossible to simulate a production level environment in staging and so when you release to production, you are testing in production anyways. Why not do it safely with granular targeting to reduce risk? With an enterprise feature management solution, you can reduce the number of environments and focus more on safely and securely testing in production.

3. Target, or even micro-target, your release

The next step is determining exactly where you will release individual features, and when. With feature flags, your development teams can release features in a highly customized way. By creating targeting rules, teams can easily target individual releases to a subset of users, resources, or even infrastructure, before making them widely available to all end-users. It’s possible to even micro-target a single user.

Targeting makes it simple to progressively release a new feature to a QA team or to project sponsors for feedback. The granular control over features and release targeting that LaunchDarkly Federal provides will enable more control than traditional blue/green deployments alone.

4. Flip a switch, and release whenever you want

With enterprise feature management, your development teams can separate deployment and release processes. Engineering teams can deploy code, and non-engineering teams can trigger the release with a simple flip of the switch. Decoupling these processes reduces the risk of failure and allows teams to release new features quickly and efficiently. Your development teams can keep progressing on their software development projects and release new features at the best time for their program or department. And, enterprise feature management also allows your project and program teams to develop, test, and deploy features using custom workflows with enterprise-level management capabilities.

By using low-risk continuous integration/continuous development (CI/CD) development processes with incident resolution times of less than 200ms, teams can improve developer productivity and reduce the time it takes to release new features to production.

5. Quickly disable features if issues or errors occur

In the event of an issue or error, teams need to be able to quickly disable features to avoid any issues affecting the application in production. Issues could range from something major such as security vulnerabilities to minor usability and cosmetic problems. With traditional processes, a team would have to roll back to a previous release losing everything they just deployed or take down an entire application to address issues or errors. However, with enterprise feature management solutions, teams can quickly disable the individual problematic feature leaving the rest of the application unchanged. Instead of the lengthy and cumbersome rollback and redeployment processes, this limits the impact to the application with zero downtime. DevSecOps teams would then typically perform a “patch forward” for the fix.

6. Track the release with detailed analytics

Using analytics, monitoring tools, and processes helps guarantee that your software meets government guidelines and agency policies. Using enterprise feature management, your agency can gather detailed audit logs and analytics to inform your decision-making and improve software delivery processes across your mission-critical programs.

Following these six simple steps can help you shrink your agency’s release time from years and months, to days and hours, just like it did for the Centers for Medicare (CMS). Using LaunchDarkly and the six steps above, CMS went from one launch once per quarter, to completing six launches within a single day to support a global rollout.

Feature management is a powerful DevSecOps tool that can truly accelerate the delivery of transformative software. With detailed control over features, release targeting, and detailed audit logs, your agency can reduce risk and deliver software at the speed of the commercial world.

Download our eBook to learn more about LaunchDarkly, and view our our public sector webinar to learn more about DevSecOps best practices.

Partnerships for Public Sector Solutions

Posted on by Mike McCalip

Systems integrators have evolved to simplify and streamline the process of deploying complex solutions to complex agency challenges. SIs have years of experience working with agencies on the kinds of systems that have many moving parts. Therefore, they have a clear understanding of agency missions and know how to navigate the government’s procurement process. However, SIs don’t work alone. They thrive by partnering with companies that have transformative new approaches for addressing the government’s needs, such as providing innovative digital services, supporting a hybrid workforce and protecting government networks from cyberthreats. In a recent report, research firm Quadintel states that the global systems integration market was valued at $327 billion in 2021 “and is anticipated to grow with a healthy growth rate of more than 13% over the forecast period 2022-2028.” SIs are well-suited to helping agencies make that shift in thinking. Learn how Sis can help your agency thrive by partnering with innovative companies in Carahsoft’s Innovation in Government® report.

The Power of Embracing a Partner Mindset

“Success for integrators and their partners is delivering secure solutions that provide meaningful and impactful mission outcomes. Leidos invests heavily in testing and building relevant solutions for public-sector customers to ensure that innovative technologies are cost-effective, resilient, compliant with government requirements and best positioned to solve mission problems. Investing in a continuous innovation cycle is critical. Leidos and Red Hat recognize that we are in the business of continuous modernization. When Red Hat and other key partners offer innovative new solutions, our partnerships enable us to move fast in testing and proving that the technology works and can scale to meet the government’s needs. Leidos leverages innovative technology to drive great mission outcomes in our Aviation Security Product business unit (Security Enterprise Solutions). By using cloud-native AI/ML modeling solutions, Leidos had been able to achieve significant performance gains in our process for developing algorithms for security detection products, ultimately improving travelers’ experiences at airports.”

Read more insights from Peter O’Donoghue, CTO of the Civil Group at Leidos, and Adam Clater, chief architect of the North America Public Sector at Red Hat.

A Collaboration That Far Exceeds the Sum of its Parts

“In 2020 KMPG and ServiceNow recognized that a large and newly formed Defense Department agency was facing a number of challenges in its efforts to transform its business, consolidate systems and processes, and modernize its technology. We began having conversations with the executive leadership and department heads across different lines of business to gain a clear understanding of their mission, current challenges and desired outcomes. As the ServiceNow program was being established at the agency, the customer required a robust governance and platform team to ensure utilization of development best practices and policy generation, platform management activities (e.g., upgrades) and a secure, scalable, federated development model. This technical rigor and governance structure supported the creation of a stable environment in which application development teams could configure and deploy new, unique applications rapidly.”

Read more insights from Kyle McKendrick, senior enterprise account executive at ServiceNow, and Daniel Gruber specialist managing director at KPMG.

Driving Modernization with Deep Strategic Partnerships

“In response to the challenges agencies face, Leidos has been focused on building deep strategic partnerships that help us create at-scale solutions for our government customers. These partnerships are characterized by a commitment to open lines of communication and transparency in terms of strategy and investments. We also operate in what we describe as a badgeless environment in which experts from different companies work side-by-side to engineer new capabilities and solutions.”

Read more insights from Derrick Pledger, senior vice president and CIO at Leidos.

Why Success in Zero Trust Requires a Team Effort

“Zero trust focuses on the connection between users and the data, applications, networks and systems they want to access. In zero trust architectures, new administrative tools continually evaluate whether allowing an individual user to have a certain level of access privileges is the right thing to do. The approach gives agencies much more flexibility as they modernize because they can make decisions at a granular level that enable them to secure data and entire IT ecosystems.”

Read more insights from Meghan Good, vice president and director of the Cyber Accelerator at Leidos.

How Multi-Domain Operations Accelerate Modernization

“By design, multi-domain operations must involve a broad range of partners to achieve the desired mission outcomes, particularly as threats continue to rapidly evolve. Making such a shift allows military and civilian agencies to far more rapidly add new capabilities to individual systems. The approach also enhances agencies’ ability to partner with industry to harness the power of cross-domain, cross-agency and even cross-company digital synergies.”

Read more insights from Chad Haferbier, vice president of multi-domain operations solutions at Leidos.

Balancing Speed and Security with SecDevOps

“As one of the largest systems integrators, Leidos understands the government’s mission domain and individual agencies’ unique challenges. We also know where they are in their evolution. Some are still easing toward agile and SecDevOps, whereas others have fully embraced those approaches. Our partners in the commercial world are some of the fastest, most forward-leaning technologists.”

Read more insights from Paul Burnette, vice president and director of the Software Accelerator at Leidos.

Download the full Innovation in Government® report for more insights from SI cloud thought leaders and additional industry research from FCW.

States Can Build Economic Efficiencies Into Complex, Sophisticated IT Environments

Posted on by Brandon Shopp

Modernizing IT is a priority for all levels of government. Despite its importance, a recent National Association of State Technology Directors study found only 50% of the 38 states surveyed have “budget mechanisms for specifically addressing IT modernization.” At the same time, 84% reported they had increased cloud services—and 76% increased their network infrastructure and bandwidth—because of the pandemic. To put it mildly, growing and scaling services without a budget isn’t ideal. However, building economic efficiencies into an increasingly complex, sophisticated IT environment is possible.

One way to approach cost containment is to build it into the approach taken when developing cloud-native applications and instilling the management of these applications with this mindset. This will likely pose challenges—developers are rarely responsible for the decisions about how their apps are implemented, used, or scaled. Likewise, those responsible for making decisions about infrastructure resources, maintenance, and operations may not understand or account for how much it costs to keep these cloud-native apps going. Here’s a look at how developers and operations management teams can better understand and manage the cost of application modernization programs:

The Relationship Between Cost Containment and the Modern Developer

The application development phase offers an opportunity to lay the foundation for cost containment and is a vital part of developer maturity.

An easy way to move toward cost-effective, sustainable applications is to adopt the underpinning of reliable operations—monitoring and observability. When developers ensure new and modernized applications include monitoring from the outset, DevOps and site reliability engineering (SRE) teams can better understand the state of their systems and proactively debug systems in production. This benefits the organizations who own these applications in the long run.

Here’s an example: suppose an application relies on platform-managed serverless or orchestrated containerization. There’s no shortage of opportunities to provide rich performance data for both developers and operations using commercial cloud-native or open-source monitoring options.

Through monitoring, developers can quickly get a sense of application durability and develop more sustainable applications to support cost containment. Considering sustainable cost containment during the dev phase isn’t best left to IT leaders; agency leaders will greatly appreciate the developer who builds the foundation into their apps.

Keys to Containing Cost

It’s also crucial to address agency leaders’ responsibility for ensuring the high performance of cloud-native applications once deployed. As much as we’d like them to, cloud-enabled technologies don’t maintain a minimum latency or uptime on their own. IT and network operations teams continuously monitor the health of cloud applications, infrastructure, and the networks they rely on to ensure a quality user experience and an uninterrupted mission.

They need full-stack observability without added costs for procuring and managing multiple monitoring tools and accommodating new reporting, alerting, and automation needs as time progresses. IT leaders can control costs in a cloud-native future by ensuring their developers and IT operations teams utilize the same centralized and automated monitoring tools—from launch to sunset.

By consolidating tools and achieving observability across services and agencies from a single integrated pane of glass, these teams can occupy the same monitoring domain and ensure peak performance of the entire application, infrastructure, and network environment while saving time and containing costs.

The cost-containment advantages of automation also can’t be overstated. Instead of IT pros spending hours trying to identify, diagnose, and fix hard-to-find performance issues, modern monitoring tools run in the background, automatically identifying performance issues and recommending optimization fixes.

As new systems and cloud-native applications come online, these systems allow agencies to quickly and easily scale their monitoring capabilities without additional expense, no matter how complex their cloud, multicloud, or hybrid environment becomes.

The results? A pathway for states without the budget for cloud and IT modernization to create economic efficiencies.

To learn more about SolarWinds’ observability platform, click here.

| Carahsoft

Category Archives: DevSecOps