Ransomware attacks and the security of critical infrastructure have been dominating the news in recent weeks, but security can still sometimes be an afterthought in state government technology projects.
In one stark example in Colorado, two years of development to modernize a system took place before a single security scan was conducted of the code, according to an award submission the Governor’s Office of Information Technology made to the National Association of Chief Information Officers.
“When the pre-go-live security scan was performed it detected more than 10,000 vulnerabilities, which required mitigation and caused the delay of multiple releases,” the document notes. “This impact to the customer resulted in low satisfaction with OIT, prevented development/deployment teams and the supplying vendor from moving on to other priorities, and frustrations ran high. The outcome emphasized the need to modernize solution and delivery at every touch point — improving efficiency, decreasing overhead, and supporting rapid value delivery to achieve OIT’s goal of customer delight by exceeding expectations.”
Colorado and other states have started to boost the security of their applications and systems through the adoption of a methodology called DevSecOps, closely related to a similar approach, DevOps. With DevSecOps, security is considered in the software and service development of an agency from the start, and security teams work hand in hand with software developers and operations teams.
LISTEN IN: Find out how to simplify DevOps for your organization in this CDW podcast.
What Is DevSecOps?
DevSecOps integrates security into DevOps, an operational model in which operations and development engineers partner throughout the entire software or service lifecycle, from design to development and production support. DevSecOps layers in security experts to work with operations and development teams to ensure that security is considered from the beginning.
DevSecOps as a practice has taken off in the private sector, but is still nascent in state government IT departments.
Kyle Jepson, a senior field solution architect for DevOps with CDW, notes in a recent podcast that high-performing organizations have a core tenet of bringing security into the planning process of software and services earlier. “We definitely know from research that high-performing organizations have to consider security earlier on in the software development lifecycle,” he said.
As the National Institute of Standards and Technology notes, the goal of DevOps is to bring together software development and operations to “shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices.”
DevSecOps ensures that security is addressed in all aspects of DevOps, NIST states, “by integrating security practices and automatically generating security and compliance artifacts throughout the process.”
RELATED: Explore the technology and approaches needed to quickly enable digital government.
Why DevSecOps Practices Are Important in Government
If software development can be viewed on a timeline from left to right, where the planning phases are on the left side of the timeline and production phases are on the right, DevSecOps aims to shift security “left,” or earlier into the planning process. That helps catch security issues or flaws sooner.
“If we wait until we get into production phases and we’re ready to go live on a product, and then we go to security and we find a problem, now all of a sudden, we’ve got to walk that whole process back to the beginning to be able to address those security risks,” Jepson said.
“So, if we can architect for security at the beginning, the planning phases, if we can embed controls and visibility and tools into each phase of the software development lifecycle, then ultimately what we get is higher quality products into production more quickly,” he added.
There are numerous benefits to DevSecOps, as NIST notes. They include:
- Reducing vulnerabilities, malicious code and other security issues in released software without inhibiting software production and releases
- Mitigating the potential impact of adversaries exploiting vulnerabilities throughout the application lifecycle
- Addressing the root causes of vulnerabilities to prevent security issues from continuously cropping up (this can be done through actions such as “strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms”)
- Reducing the friction between the development, operations and security teams to simultaneously support the velocity of the organization’s mission while using modern technologies