The afternoon of May 6th made clear that the time for DevSecOps is now across the federal government. An audience of over 500 attendees across the public sector joined together online to connect with five government DevSecOps pathfinders and one notorious white hat hacker. These sessions are now recorded and available on-demand. Why bring all these government technology leaders together? To provide a practical roadmap on how to successfully integrate security into DevOps and digital transformations -- straight from the agencies and innovators who've done it.
The forum consisted of four keynote sessions and two fireside chats. Here are takeaways from each of session:
Chris Roberts, adversarial researcher and white hat hacker, kicked off the program with an unfiltered perspective on the state of information security. He says one of the issues we have in our industry is that we don’t have a good handle on the severity of our breaches. We keep pushing information to the cloud. As security people, we have a moral obligation to try to protect others. How do we protect data and other sensitive information? He suggests the following:
- We fix the basics. Too many times we go into organizations where they don’t have an SDLC in place. Learn from mature organizations.
- We build security throughout the entire process. Security and safety are built from the get-go. Put deception technology throughout the entire life cycle to test its reslience.
- We share DevSecOps strategies and collaborate. Start sharing information and intelligence faster by talking other people’s languages. Take complicated things and put them into plain simple terms and common language.
- Segmentation and separation of information into smaller domains by collapsing to smaller perimeters. Make it hard for adversaries to move from system to system.
- Continuous monitoring throughout the entire lifecycle is a key part to everything we do today. DevSecOps can help us manage the risk of rapid development.
Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition, ASD(A), for Cyber joined Derek Weeks, cofounder of All Day DevOps and Sonatype VP, for a fireside chat about the transformation in government and buying down the risk with DevSecOps.
“We have to think about software as a liability and ever evolving because of this security is foundational,” she said. “We have to develop software in the most secure environment at the speed of relevance. Part of the challenge we have is not knowing who developed the code we are using and the risk associated with that code. We need to establish risk mitigation practices around using code and do our due diligence.”
Nicolas Chaillan, the first Chief Software Officer in DoD history, took the position at the United States Air Force nearly 18 months ago. He is the co-lead for the Department of Defense Enterprise DevSecOps initiative. Nicolas shared his experience as the Air Force Focal Point for software, cloud and cybersecurity related impediments and enablers. He discussed the importance of the Cloud One and Platform One programs and their goals to support software Enterprise Services by helping programs across AF programs, 60+ DoD initiatives and beyond. For successful digital transformation we must rapidly adapt to changes, work as a team, and with various technologies, he said. We need to bring options, “One size fits all is never going to scale across the DoD,” he added. We want to eliminate friction by stopping limitations.
Lauren Knausenberger, Chief Transformation Officer of the US Air Force and champion for Kessel Run, took questions from attendees in her interactive Fireside chat.
Q: How do we get more people behind Continuous ATO? How do we automate these steps?
A: Continuous ATO’s are built for teams that have put in the work to become true Ninjas. It's a lot easier when you have a solid DevSecOps process and doesn’t happen overnight.
Q: How are we improving cybersecurity training ?
A: We encourage developers to look at some ethical hacker training. The best hackers are developers and the best developers understand hacking too. Look at how you can simplify the code so you there's less to get you in trouble.
Q: How do you go about breaking down silos?
A: Get people together in person. Some people will naturally collaborate. Some people will be trying to solve similar problems. We are very open to sharing with the community.
Brian Fox, Management Consultant for 18F of the GSA, closed out the forum by discussing DevSecOps and the importance of psychological safety. In order to spread the courage to change the status quo we have to celebrate small failures, share them, and change our approach. We need to focus on continuous learning and share what we learned with those around us.
And remember this, “it's not a question of if we can do DevSecOps. It’s a question of how fast we can do DevSecOps.”
“There will be risk but we shouldn’t hold back on developing and moving at the speed of relevancy because we are afraid of failure.”
“Only through a high level of compassion, not empathy, where you are seeking to ease other people's pain, can you move forward,” he said.
From my perspective combining innovative leadership, the right personnel, governance, and the right solutions, enables agility, automation, and precision which are key tenants when driving value from DevSecOps. The more we can collectively collaborate about what works, what doesn’t, and what is still yet to be determined, will greatly increase our likelihood of success in our DevSecOps journeys.
Light the way for DevSecOps throughout government agencies by watching the full, on-demand, recorded sessions.