Integrated DevSecOps with separate Federal Dev and Ops contractors? Yes, it can be done.

by Dr. Robert Buccigrossi, TCG CTO

DevSecOps offers great potential for improving Federal IT practice by integrating development, security, and production performance as shared goals of a single IT team. The overall philosophy is that a unified team will naturally embrace practices that eliminate disruptive issues, mitigate security risks, improve efficiency, and save time. This works because the team is inspired by the burden of responsibility to maintain quality, integrity, confidentiality, availability, and efficiency.

While the overarching philosophy and core principles of DevSecOps will be vital for Federal agencies in the coming years, agencies looking to implement these principles face a difficult obstacle: the Federal environment itself. Most government agencies split responsibility for IT between application, operations, security, and program management teams. While dividing responsibilities between separate teams is useful in manys, it is anathema to DevSecOps principles. However, there are ways that organizations can establish a unified DevOps team across the separate organizations running Dev and Ops.

If a single organization hosts the full development and production pipeline, that set-up guarantees that responsibility can be granted to a unified DevSecOps team. This in turn ensures that developers are acutely aware of any issue in performance, security and stability, leading to better practices. However, there are situations when an agency would prefer to maintain separate development, security, and operations contractors. But then it’s more of a challenge to give the entire team direct and shared responsibility for security, performance, and stability.

It takes deliberate planning to ensure that a chasm doesn’t form between the development, security, and operations teams (typically represented by the feeling that builds are pitched “over the fence” from development to security and operations).

 

 

Solution: Establish Agile Ceremonies and Responsibilities

Through the use of Agile structure and ceremonies, we increase collaboration across and, in some areas, eliminate the borders between Dev, Sec, and Ops to create a single, unified team for shared responsibility.

  • Establish a DevSecOps Scrum team with both Dev and Ops members: As the project gets closer to production release, a joint Scrum team will incorporate Ops members in Sprint planning, daily scrums, and retrospectives.
  • Share production performance and security reports: Giving developers direct and frequent insight into system performance and security is a foundation for sharing responsibility for production availability and response time. Reports need to be shared across all DevSecOps team members.
  • Elevate production performance issues as backlog items to be addressed by the Scrum team: This allows end-user experience to be prioritized alongside new feature development.
  • Share on-call and outage responsibility: Sharing this responsibility between developers and operations ensures that developers are directly responsible for the quality and performance of the code that they write.
  • Incorporate production security scanning tools with development and test environments: This “shifts left” security responsibility with the Development Team.

Of course, there may be resistance among the teams: developers may be slow to realize that production or security issues are a direct result of their code; operations may be reluctant to share administration duties with developers; and security experts will have to adapt to frequent automated scanning, as well as educating other team members to think about security risk management. But as a result of this shared ownership, the full DevSecOps team will understand and work together to brainstorm ways to improve quality, security, and performance for the benefit of the end users.

This approach has proven successful for us in the past. On two separate projects where TCG implemented the steps described above, our systems have maintained over 99.7% uptime (including maintenance outages) for the past two years.

Pitching builds “over the fence” creates gaps in development, operations, and security. Agencies and Federal contractors need to revise expectations for collaboration in different areas of the organization. Shared Agile and Scrum ceremonies provide the architecture for creating the unified teams and common responsibility that is integral to DevSecOps.