Top 6 Reasons the Time is Now for DevSecOps in the Federal Government

March 25, 2020 By Jason Green

3 minute read time

Underpinning all modern technology - software and hardware - is a supply chain. However, even as “software eats the world,” or we could argue “ate the world,” there is still too little understanding of the software supply chain, with continued focus on hardware. The reality, however, is that software is much easier to pollute than hardware. While there has been an increase in awareness around the need for a coordinated application security strategy, the federal government has historically focused on playing strong defense, putting up walls at the perimeter, and at the end of the digital supply chain.

It’s time to shift more security resources further left. In this way, the government can play better offense at the beginning of the digital supply chain so that federal agencies can better protect themselves and the American citizenry.
  1. Open Source is Powering Federal Software Development - Open source software components are the backbone of federal software supply chains; in fact, 85% to 95% of an application is composed of open source components. Since they are free, and readily available, they allow agencies to save time and money, and in many cases improve quality.

  2. Not All Open Source Components are Created Equal - Sonatype’s research shows that within the Java ecosystem 1 in 10 contains a known security vulnerability and within JavaScript more than 51% of all components have a vulnerability, highlighting the security challenges that agencies are up against.

  3. Agencies Don’t Know How Much Open Source They’re Using - There is a lack of transparency in how much open source software is being used throughout the federal government. A disconnect between the developers and security teams, make it difficult to rectify this, but with proper controls, can be fixed. 

    NIST Special Publication (SP) 800-161 offers specific supply chain risk management practice recommendations. 

  4. Lack of Open Source Policies Leading to Breaches - According to Sonatype’s DevSecOps Community Survey of 5,500 IT pros, 1 in 4 organizations confirmed or suspected an open source related breach last year. Of organizations with DevOps practices, only 6 in 10 have policies evaluating open source use, and of those not practicing DevOps, it plummets to 2 in 10.

  5. Cost Emphasized Over Security Protocol - One of the biggest threats comes from the contractors paid to support the federal government and are supposed to be helping protect its sophisticated systems. Too often they are inadvertently introducing vulnerabilities into the supply chain with the emphasis on cost over security.

  6. Regulations Around Software Development is Coming - In recent years, however, new legislation and recommendations have begun providing a roadmap for where the US should be headed. There is an opportunity for savvy contractors and agencies to get ahead by prioritizing security in their development process now.

LEGISLATION TIMELINE

SonatypeGovernment-1

 

“You need to change the system, not just go around the system. You have to make that change last.” Nicolas M. Chaillan, Chief Software Officer, US Air Force - read more in BusinessChief.com

Tags: Cybersecurity, government, devsecops, featured

Written by Jason Green

Jason Green, Vice President of Public Sector, Sonatype. Jason is a huge advocate of applying proven technology supply chain management principles into DevSecOps practices to improve efficiencies and sustain long-lasting secure and competitive advantages.

Jason has supported the Federal Government over the past 20 years in leadership, technical innovation, and support with an emphasis on the National Security Sector and Defense Sector to include Counter Terrorism, Counterintelligence, and Counter Espionage. He is applying these principles as the ATARC DevSecOps Working Group Industry Chair.