Six key things to know about DevSecOps

The concept of DevSecOps has taken on added impetus now that Katie Arrington, the DOD’s chief information security officer at the office of assistant secretary of defense for acquisition, said the department should step up its efforts to change workforce culture around it.

PEO EIS already has made strides in this area with Applied Cyber Technologies’ (ACT) recent integration of DevSecOps methodologies in its developmental DRUID (Defense Cyber Operations Resource for Updates, Innovation and Development) technology. To help better educate the EIS workforce about DevSecOps, ACT invited Donny Davis of ORock Technologies to discuss the concept and its application to DRUID at an October 22 lunch and learn presentation.

Following are six key things to know about DevSecOps based on that session:

1. It isn’t a technology. It’s a model, process or way of doing things and finding technologies that do the things you want.

2. It’s first and foremost about people. The first step is to get everybody on board and effect a culture shift, so everyone understands the desired outcomes and how to get them. Competing priorities need to be worked out during this stage. “This is not a spectator sport; you have to be actively engaged,” says Davis.

3. It’s important to address the “5W1H” questions. DevSecOps is a shift in process designed by people, so you need to agree on what output is desired, what teams should be involved, who the customer is, how they will consume the process, etc.

4. Technology is the last thing for discussion and procurement. “People create a process; process drives technology; technology drives the pipeline,” says Davis.

5. Metrics are an important output to consider. Among other things, it’s helpful to find out how long it takes to do a build and how long to iterate until you have useful results.

6. Hybrid solutions may be best for DOD organizations. If you have a web app that’s consumed on a DOD network, it may be better to have a combined cloud/on-premise solution instead of going all-in with cloud. “Hybrid allows you to provide highest levels of access and to spread resources to people who otherwise couldn’t access them,” says Davis.

For more information on ACT’s experience with DevSecOps, contact Fianna Litvok at Fianna.R.Litvok.ctr@mail.mil.