Second, everyone involved in the project should be made aware of what is needed by a specific customer. They should also continue to keep up on modern coding practices. The team should also be trained on security tools that can be implemented and used to automate as much of the process as possible: source-code scans, runtime security protection, and security monitoring. Confirm that operations engineers are educated on how to encrypt data “in transit” and “at rest.” These are just a few example topics that should be covered in security training. Ensure developers are trained on how to develop secure code that does not expose vulnerabilities classified by the Open Web Application Security Project (OWASP). These methods have been used for many of Pyramid’s federal IT modernization projects successfully.įirst, make sure engineers are trained on the fundamental security practices and controls that must be applied in the architecture, design, code, and configurations of an application. The following sections will cover what a fortified DevSecOps looks like and how it speeds up gaining an ATO. Security needs to be an integral part of the enterprise architecture from the beginning of the design.Ī robust DevSecOps pipeline should contain a mix of technology, processes, and people, but most pipelines nowadays focus exclusively on technology and focus less on the processes and people involved. Because of these increasing threats, applications built for federal agencies should be fortified from inception, not just for a faster ATO (although it helps). The increasing digitization of federal agencies and their personally identifiable information (PII) data has made them a major target for acts of cybercrime and warfare. In 2017, 35,277 cybersecurity incidents were reported by federal agencies in the United States. And that is how most companies define their DevSecOps.Ĭonducting a one-source-code scan and calling it DevSecOps isn’t enough. Then, they throw their application and security reports over the fence to the security team. Now, most software development companies just use automated vulnerability scanning tools like Fortify to scan their source code once. Gradually, these processes were scaled up and automated to meet the increased need for speed and eventually became DevSecOps. Engineers held onto a project and handed assets over to security only when the development portion of the project was complete. The traditional or waterfall engineering pipeline siloed developers and security teams. DevSecOps professes the need to instrument security controls in every phase, including architecture, application code, production environments, and beyond. The inclusion of “Sec” in the terminology signifies the importance of security and why risk mitigation needs to be addressed from inception and throughout the software development life cycle (SDLC). The key to expediting the process is the adoption and use of a robust DevSecOps process.īecause the terms DevOps (a portmanteau of software development and information technology operations) and DevSecOps (which is DevOps plus security engineering) are terms that arose organically in industry and weren’t coined by a centralized authority, no readily agreed-upon definition exists for what these terms mean.ĭevOps got its start in the technology industry as companies, striving to meet consumer demand, needed to release new features and fixes continuously and reliably at a high velocity. Agencies are always looking for a more robust process to expedite the process for achieving compliance and securing an ATO without compromising any security requirements. One of the biggest hindrances to federal IT modernization is not actually capturing the funding or developing the technology - it’s obtaining an ATO. ATOs are a requirement of the Federal Information Security Management Act (FISMA) in which Chief Information Officers (CIOs) must accept the security risks of each system in the agency’s network. An Assessment and Accreditation (A&A) process routinely takes months or even a year before an ATO can be granted. Unfortunately, this scenario happens more often than you may think, and many times agencies can’t speed critical services to market fast enough. Then, imagine that new, modern system sitting on the sidelines waiting for another 10 months to be introduced into the agency’s environment because the Authority to Operate (ATO) certification has not been granted. Imagine if your federal agency spent tens of millions of dollars and 2 years modernizing a complex, mission-critical system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |