Ransomware attacks and the security of critical infrastructure have been dominating the news in recent weeks, but security can still sometimes be an afterthought in state government technology projects.
In one stark example in Colorado, two years of development to modernize a system took place before a single security scan was conducted of the code, according to an award submission the Governor’s Office of Information Technology made to the National Association of Chief Information Officers.
“When the pre-go-live security scan was performed it detected more than 10,000 vulnerabilities, which required mitigation and caused the delay of multiple releases,” the document notes. “This impact to the customer resulted in low satisfaction with OIT, prevented development/deployment teams and the supplying vendor from moving on to other priorities, and frustrations ran high. The outcome emphasized the need to modernize solution and delivery at every touch point — improving efficiency, decreasing overhead, and supporting rapid value delivery to achieve OIT’s goal of customer delight by exceeding expectations.”
Colorado and other states have started to boost the security of their applications and systems through the adoption of a methodology called DevSecOps, closely related to a similar approach, DevOps. With DevSecOps, security is considered in the software and service development of an agency from the start, and security teams work hand in hand with software developers and operations teams.
LISTEN IN: Find out how to simplify DevOps for your organization in this CDW podcast.
What Is DevSecOps?
DevSecOps integrates security into DevOps, an operational model in which operations and development engineers partner throughout the entire software or service lifecycle, from design to development and production support. DevSecOps layers in security experts to work with operations and development teams to ensure that security is considered from the beginning.
DevSecOps as a practice has taken off in the private sector, but is still nascent in state government IT departments.
Kyle Jepson, a senior field solution architect for DevOps with CDW, notes in a recent podcast that high-performing organizations have a core tenet of bringing security into the planning process of software and services earlier. “We definitely know from research that high-performing organizations have to consider security earlier on in the software development lifecycle,” he said.
As the National Institute of Standards and Technology notes, the goal of DevOps is to bring together software development and operations to “shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices.”
DevSecOps ensures that security is addressed in all aspects of DevOps, NIST states, “by integrating security practices and automatically generating security and compliance artifacts throughout the process.”
RELATED: Explore the technology and approaches needed to quickly enable digital government.
Why DevSecOps Practices Are Important in Government
If software development can be viewed on a timeline from left to right, where the planning phases are on the left side of the timeline and production phases are on the right, DevSecOps aims to shift security “left,” or earlier into the planning process. That helps catch security issues or flaws sooner.
“If we wait until we get into production phases and we’re ready to go live on a product, and then we go to security and we find a problem, now all of a sudden, we’ve got to walk that whole process back to the beginning to be able to address those security risks,” Jepson said.
“So, if we can architect for security at the beginning, the planning phases, if we can embed controls and visibility and tools into each phase of the software development lifecycle, then ultimately what we get is higher quality products into production more quickly,” he added.
There are numerous benefits to DevSecOps, as NIST notes. They include:
- Reducing vulnerabilities, malicious code and other security issues in released software without inhibiting software production and releases
- Mitigating the potential impact of adversaries exploiting vulnerabilities throughout the application lifecycle
- Addressing the root causes of vulnerabilities to prevent security issues from continuously cropping up (this can be done through actions such as “strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms”)
- Reducing the friction between the development, operations and security teams to simultaneously support the velocity of the organization’s mission while using modern technologies
In Colorado, the state used Azure DevOps tools from Microsoft to enhance service delivery and security by “assembling all of OIT’s code in one place in the Azure DevOps toolset and steadily increased automation and security practices across OIT teams,” according to its NASCIO submission. Colorado aimed to “increase efficiency, security, and quality across the technology and service delivery lifecycle by shifting ‘left’ security and quality so they would be automatically addressed earlier in the solution delivery process and lead to increased efficiencies through automation and cultural changes.”
The end result, according to Colorado, is that “teams now have greater opportunities to not only improve security in their applications, but to analyze, improve, and automate many of their processes.” Additionally, cycle time, lead time, deployment speed, deployment frequency, velocity and work burndown are now generated automatically, “freeing teams from what is generally seen as exhausting, repetitive, and manual work,” the document states.
“By automating processes, early and often, we are not only ensuring quality and security through reduction of manual errors and inclusion of regular scanning, but we free up people — our greatest resource — to focus on innovative solutions and delivering value to customers,” the state notes.
Other states, such as North Carolina, have also embraced DevSecOps. “I mentioned some of those capabilities associated with DevSecOps. We’ve got some pockets in terms of our teams that are enabling DevOps. A key aspect of that is automated testing,” Glenn Poplawski, North Carolina’s deputy CIO and chief solutions officer, told StateScoop in 2019.
North Carolina has had automated testing capabilities in the state since about 2007, and the state was moving to augment the automated testing capabilities with another toolset, Poplawski noted.
“As far as the security testing, we just went through buying and purchasing one of the Micro Focus security testing tools,” he said. “We’ve basically had agencies go through training, and then we’re going to embark on enabling that into the development cycles to help them achieve DevSecOps.”
DevOps vs. DevSecOps: What Are the Main Differences?
DevOps and DevSecOps are closely related, in the sense that both are focused on a continuous integration/continuous delivery (CI/CD) pipeline. The model follows key stages: development, integration, quality assurance, user acceptance testing, staging, preproduction and, finally, production.
Both DevOps and DevSecOps are processes that are highly automated and dependent on a series of platforms called tool chains that help manage the workflow. DevSecOps adds in the security component to ensure security controls are put in place throughout the development lifecycle, and that security vulnerabilities are caught from the get-go.
“In a standard software development process, the team moves iteratively through a variety of stages, beginning with the design of software requirements,” write Joey Barrett, CTO of the West Coast Region for IGNW, a CDW company, and Jeff Ridgeley, a principal consultant with CDW’s cybersecurity practice, in a CDW blog post. “The process continues through the development of code, the building and testing of executables, and the release to production — ultimately leading to the code being adopted as part of ongoing operations. The DevSecOps model seeks to add security feedback loops and checkpoints to each of those activities, rather than conducting security as a late-stage, separate review.”
Organizations that “consult with security teams in the design phase of new software development projects can anticipate the threats their code will face and design defenses against those threats as a core requirement of the software, rather than as a costly after-the-fact bolt-on solution,” Barrett and Ridgeley write.
DevSecOps teams, they add, “can build enforced automated security testing directly into the development pipeline.”
“When developers submit new code for review, an automated security test process is triggered that provides them with immediate feedback on potential flaws and required fixes,” they write. “This tight feedback loop not only improves the potential risks within the code but also allows developers to learn from their mistakes and build better code in the future.”
DIVE DEEPER: How can cloud tools quickly enable modern applications for government?
Red Team vs. Blue Team Security
In addition to employing DevSecOps, another approach agencies can take to bolster their cybersecurity defenses is to conduct red team and blue team cybersecurity exercises.
As security firm CrowdStrike notes in a blog post, in a red team exercise, the red team acts as an adversary, “attempting to identify and exploit potential weaknesses” within the organization’s defenses by using “sophisticated attack techniques.”
A red team is often composed of “highly experienced security professionals or independent ethical hackers who focus on penetration testing by imitating real-world attack techniques and methods.”
“The red team gains initial access usually through the theft of user credentials or social engineering techniques,” CrowdStrike notes. “Once inside the network, the red team elevates its privileges and moves laterally across systems with the goal of progressing as deeply as possible into the network, exfiltrating data while avoiding detection.”
The blue team’s goal is to focus on cybersecurity defense. “Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats,” CrowdStrike states. “The IT security team is then responsible for maintaining the internal network against various types of risk. While many organizations consider prevention the gold standard of security, detection and remediation are equally important to overall defense capabilities.”