DevSecOps, or development security operations, is not a term that rolls off the tip of your tongue in an “agile” way, but it is a process that is gaining momentum across the Federal government.
“When it gets in the NDAA [National Defense Authorization Act] you can say we’ve reached a new milestone in awareness,” said Derek Weeks, vice president at Sonatype, during the DevSecOps Leadership Federal Forum May 6. Weeks mentioned the term’s inclusion in the Fiscal Year 2020 defense bill, but the concept of building security into your operations and software is not new.
Katie Arrington, who has worked on the rollout of the new cybersecurity standard for defense contractors, said the Defense Department’s DevSecOps work predates the Cybersecurity Maturity Model Certification (CMMC) standard.
“The DevSecOps effort started before the CMMC,” said Arrington, CISO for Acquisition and Sustainment in the Department of Defense. “This is not something we just picked up.”
Arrington emphasized the importance of DevSecOps when acquiring software.
“You can’t buy software like you buy hardware,” said Arrington, adding that 90-day acquisition periods are too slow for software acquisition. “You have to do it at the speed of relevance.”
The speed of acquiring new technologies has caused the process of embedding security in development and operations to catch on across the government, according to a cybersecurity expert of several decades.
“It’s not a question of, if we are going to do DevSecOps,” said Ron Ross, fellow at the National Institute of Standards and Technology, “it’s a question of how fast we’re going to do it.”
Ross described cybersecurity as “processes, procedures, and people.”
“This is where DevSecOps can really start us off in the right direction,” he said, “because it touches on all three of those areas.”