The Right Application Platform Can Help DoD Develop Its DevSecOps Culture MARKET TRENDS REPORT

2 MARKET TRENDS REPORT

Introduction

Last August, the Defense Department (DoD) threw down the gauntlet on software development with the release of the reference design for the DoD Enterprise DevSecOps Initiative. The goal is to develop software quickly and securely through collaborative, open source, and Agile methodologies. That would drive vulnerabilities out of software early and deliver it “at the speed of mission,” while including security right from the start.

The initiative, headed by Air Force Chief Software Officer Nicolas Chaillan, aims to help DoD break free of the slow waterfall process of software development it has traditionally used. Waterfall typically addresses security only as an afterthought. The new approach will help the department keep pace with both the fast-moving world of software development and the ever-shifting cybersecurity landscape. With continuous delivery, rapid prototyping, and constant testing and feedback, DevSecOps can give the military services and DoD components the tools they need when they need them.

But adopting that faster, collaborative model is easier said than done. It requires a cultural change within DoD, in addition to the contributions of many groups, including traditionally siloed stakeholders, such as developers, security team members, procurement offices, and end users. It also means shifting to a methodology of continuous integration, testing, monitoring, security and delivery that marks a significant change from traditional methods.

To learn more about how agencies can benefit from DevSecOps, GovLoop teamed with GitLab to produce this report. GitLab is a DevSecOps platform providing a software solution that has been hardened to DoD standards and is the first single application for the entire DevSecOps lifecycle.

3THE RIGHT APPLICATION PLATFORM CAN HELP DOD DEVELOP ITS DEVSECOPS CULTURE

44%

With a mature DevOps practice in place, security teams are three times more likely to discover vulnerabilities before code is merged and 90% more likely to test between 91% and 100% of code than in an organization with early-stage DevOps, according to the 2019 GitLab Global Developer Report. Other key findings:

of developers say security vulnerabilities are a performance metric for developers in their organizations.

How do developers rate their own security practices?

Fair 30%, Good 25%, Poor 23%

THE RIGHT APPLICATION PLATFORM CAN HELP DOD DEVELOP ITS DEVSECOPS CULTURE

BY THE NUMBE RSDevOps and Security: Room to Improve

49%say they struggle with making remediation of vulnerabilities a priority.

Even in organizations where security is a performance metric,

55%of respondents reported difficulty in getting coders to focus on fixing vulnerabilities.

50%of security professionals said their teams most often found vulnerabilities after code was merged into a test environment. In fact, security professionals reported that developers find just 12% of the late-stage vulnerabilities.

Source: GitLab 2019 Global Developer Report: DevSecOps

How do security professionals rate their security practices?

Fair 36%, Poor 24%, Good 20%

4 MARKET TRENDS REPORT

For DoD, the baseline reality is that its software acquisition process hasn’t been keeping pace with warfighters’ needs, particularly when the commercial sector — and adversaries — push new capabilities into use quickly. DoD has traditionally relied heavily on waterfall development, a methodology that delivers new software about every three to 10 years, according to a DoD presentation. Additionally, DoD’s Authority to Operate (ATO), a formalized accreditation process burdened with manual testing, can take eight months or longer to accredit software, further delaying speed to mission.

Practically everything in DoD today is a software system, from weapons and aircraft to logistics and communications. The F-35 Lightning II aircraft, for example, has more than 8 million lines of code in the fighter itself, and 24 million lines if you count its ground-based Autonomic Logistics Information System (ALIS). Because so many of DoD’s systems rely on software, continual updates are necessary to keep systems running smoothly, as the Government Accountability Office noted in a report last year. Traditional, glacial processes of acquisition and development won’t cut it.

That has led DoD, like organizations in other sectors, toward Agile development — a collaborative process that breaks down software projects into development sprints — and DevOps, an organization-wide set of principles, practices, and tools that includes Agile and should enable automated testing and continuous delivery. DevSecOps, so named because it combines software development, security and IT operations, puts DoD’s other priority — security — into the mix from the beginning, engaging developers, users, security teams and others.

“Fundamentally, it’s being willing to change the way we do things for the better,” said Joseph McKairnes, DoD Senior Federal Solutions Architect for GitLab. “In years past, taking months or years to adapt to a threat was practical. Threats to our nation were typically from entire countries - we knew who they were and could deal with them accordingly.

“For the DoD today, the threat landscape is ever-changing - with so much reliance on connected systems and software, new threats are constantly appearing, and from unknown entities. The DoD needs to adapt to this in minutes or hours at a minimum.” McKairnes said.

THE CHA LLE NGESoftware Behind the Times

THE SOLUTI O N: D E VSECOPS TO THE RES CUEOne goal of the DoD Enterprise DevSecOps Initiative is to reduce application timelines from months or years, common with waterfall development, to weeks, days, hours or even minutes. This exceeds even the months-or-weeks model of Agile development. The ultimate goal is to put the tools and process through an ATO process so that the software created is already authorized to operate and can be immediately deployed.

DevSecOps uses automation in every stage of development and delivers software to the cloud via open source containers with Kubernetes orchestration, which automates deployment and management of containers. The whole process is enhanced by Knative, a Kubernetes-based platform to build, deploy and manage modern serverless workloads. The containers allow for baked-in security, including behavior detection and zero trust, through its Sidecar Container Security Stack. A DoD Centralized Artifacts Repository (DCAR) provides a store of hardened and centrally accredited containers. The use of open source containers avoids vendor lock-in with cloud providers.

The process of implementing DevSecOps however, can be complex. It has 10 functional areas for which developers typically would have to procure and train for 15 to 30 products, which can dramatically slow the process.

Because it is a single application for the entire DevOps life cycle, GitLab shortens that process significantly. For example, automated security scans are complete as soon as a developer pushes code to the repository, allowing them to identify and address vulnerabilities immediately. Scanning while the developer is still engaged in the coding allows real-time proactive remediation of potential security vulnerabilities.

The GitLab solution is pre-authorized for use within DoD, which can help shorten the ATO process. It also allows Common Access Card (CAC) and Personal Identity Verification(PIV) authentication, enabling a single-sign-on (SSO) approach that further saves time.

5THE RIGHT APPLICATION PLATFORM CAN HELP DOD DEVELOP ITS DEVSECOPS CULTURE

BEST PRACTI C E S FO R DEVS ECOPSCollaborate and Automate

AutomationA key element of DevSecOps is automation. GitLab automates the continuous integration and delivery pipeline with features including Auto DevSecOps, which handles manual configuration work, such as security auditing and vulnerability testing. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) scans show results directly in the merge request, and dependency scanning and container scanning publish their results in both the merge request and pipeline views.

CollaborationOne of the guiding principles of DevSecOps is that everyone is responsible for security. DevSecOps.org’s manifesto stresses open contributions and collaboration, sharing information such as threat intelligence, putting results over checklists, and trusting data security and data science over doubts and fears — all of which require open communication.

Continuous EverythingContinuous testing is a part of any Agile development methodology. DevSecOps testing should cover a full range of areas, including front-end, back-end, application programming interfaces, databases and passive security testing. Continuous integration tools can help automate security checks. Finally, everything is continuous with DevSecOps, including delivery, version control, monitoring and remediation.

SimplifyA common refrain in DevSecOps is to keep code simple, since needlessly complex code works against security and efficiency. Developers can apply a coding standard to keep their code simple, enhancing collaboration with other developers who can easily understand their code at a glance.

Choosing the right toolsThe General Services Administration (GSA)’s guide to Building a DevSecOps Culture notes several key metrics to ensure continuous development, threat detection, and release cycles. It includes measuring deployment frequency; lead time; detection of threats, security defects, and flaws; mean time to repair; and mean time to recovery. It also cites threat modeling, code reviews, and red teaming as keys to detecting security issues.

The DoD Enterprise DevSecOps Initiative spells out its goals clearly: “The main characteristic of DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle: plan, develop, build, test, release, deliver, deploy, operate and monitor.” Not surprisingly, many of the best practices of DevSecOps map to those goals.

6 MARKET TRENDS REPORT

In the federal government, security is at the forefront of everything. GitLab’s DevSecOps platform recognizes this by integrating security scanning throughout the software development process.

“One of GitLab’s biggest advantages is its true integration of security controls in developing applications, and the fact that the entire development pipeline is present right out of the box,” said Anshuman (Andy) Patel, Chief Executive Officer of Jasper Solutions, which provides IT solutions to DoD and other federal agencies. Jasper uses GitLab in developing DoD software applications, including those built for multi-cloud capability, and has found it effective in streamlining development and ensuring security.

“GitLab makes processes easier to automate,” Patel said, and “provides visibility that makes development at the edge of the network more feasible, when working in real-time in a deployed environment is not realistic.” GitLab allows a short feedback loop with users that enables greater collaboration.

“GitLab also has proven effective in working with Sensitive Compartmented Information [SCI] and is making a real difference in the development of new tools involving artificial intelligence, augmented reality, and other advanced applications,” Patel said.

The military services are seeing the results. Within DoD, the Air Force is on the leading edge of DevSecOps with its software factories, which use GitLab in building open source applications and collaborating with startups and others in the private sector on efforts often named with popular science fiction references. The Kessel Run Experimentation Lab, for instance, has contributed to projects such as the Mad Hatter maintenance software used by customers such as the Vermont Air National Guard and teams working on the F-35 Lightning II.

HOW GITLAB CAN HELPGitLab is a DevSecOps platform built from the ground up as a single application for all stages of the software development life cycle, enabling product development, quality assurance, security, and operations teams to work concurrently on the same project.

GitLab provides teams a single data store with one user interface and one permission model across the DevSecOps life cycle, allowing them to collaborate and work on a project from a single conversation, significantly reducing cycle time and focusing exclusively on building great software quickly.

To help organizations master the key elements of DevSecOps, GitLab has created an assessment for the methodology. Organizations can score themselves on 20 capabilities and then use those scores to understand their DevSecOps maturity level and determine what actions their team can take to bring it to the next level.

Built on open source, GitLab leverages the community contributions of thousands of developers and millions of users to continuously deliver new DevSecOps innovations.

GitLab is the world’s largest all-remote company, with more than 1,200 team members in more than 65 countries. GitLab is fundamentally changing the way Development, Security, and Ops teams collaborate by helping teams accelerate software delivery from weeks to minutes, reduce development costs, and reduce the risk of application vulnerabilities while increasing developer productivity.

GitLab was named as a “Niche Player” in the 2020 Gartner Magic Quadrant for Application Security Testing. And a September 2019 Forrester report ranked GitLab among a handful of leaders in Cloud Native Continuous Integration Tools and Cloud Provider Agnostic Continuous Integration, citing developers’ experience with having a single application for every phase of development. GitLab was also praised for its easy-to-use and cohesive interface, strong analytics, and support for container registries like Kubernetes. Gartner recently named GitLab a “Visionary” in its Magic Quadrant research into Enterprise Agile Planning Tools, and a “Challenger” in its Magic Quadrant report for Application Release Orchestration.

USE CASES: PUTTING PRINCIPLES INTO PRACTICEGitLab’s DevSecOps Solution for Software Development

Conclusion

A DevSecOps approach can solve a real need for DoD: secure, reliable, automatically updated software that is developed and deployed at the speed of mission to meet the requirements of DoD operations, from the back offices to the front lines. DevSecOps is mission-critical, since the constantly shifting cybersecurity landscape demands that software be secure right out of the gate.

Traditional methods of procurement and development no longer meet that need. A DevSecOps approach of collaboration, constant testing, and continuous delivery can get the right software to the right units at the right time. But that works only if you pick the right tools to make the process more seamless, and therefore more effective and secure.

7

AB OUT GOVLOOPABOUT GI TLAB

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.

For more information about this report, please reach out to info@govloop.com.

GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab helps teams accelerate software delivery from weeks to minutes, reduce development costs, and reduce the risk of application vulnerabilities while increasing developer productivity.

Learn more at about.gitlab.com/publicsector

THE RIGHT APPLICATION PLATFORM CAN HELP DOD DEVELOP ITS DEVSECOPS CULTURE

1152 15th St. NW Suite 800Washington, DC 20005

P: (202) 407-7421 | F: (202) 407-7501

www.govloop.com@GovLoop