DevSecOps for Government: Safer Software Sooner
Government agencies are making the move to DevOps. See how integrating DevSecOps means their teams can rapidly develop software that's safer.
Join the DZone community and get the full member experience.Join For Free
"You deploy it, you own it."
It's a common phrase heard often in the DevOps community. It connotes responsibility, not passing the buck, and accountability. You not only deploy code into production that works, but you deploy code that is of the highest quality, scalability, and performance.
It also signifies security. None of us want "you deploy it, you own it" to evolve into "you deploy it, they own it."At All Day DevOps this past October, we heard from a number of people across the federal government who are leading DevSecOps initiatives. Leonel Garciga at the Department of Defense's JIDO shared his organization's journey to DevSecOps, detailing how they have automated numerous ATO paths.
The GSA's John Jediny (@JJediny) also discussed his agency's journey discussing ongoing authorizations (ATO) with component reuse and closed loop CI/CD pipelines and how they found fertile grounds between DevOps and SecOps while under the federal government's compliance regimes.
John was also one of the architects behind the GSA's recently published DevSecOps Guide. The Guide describes "the requirements that need to be met by any specific implementation before it can be considered a Standard GSA DevSecOps Platform. It can also be used by owners of platforms in conjunction with the CTO, Deputy CIO, and CISO to define an implementation of the requirements described in this framework. Furthermore, it can be used by application developers to understand and find platform implementations. This framework is set alongside a template that captures the requirements for any platform implementation."
The DevOps teams at the U.S. Department of Defense and U.S. Government Services agency are among several agencies that have embarked along a journey to DevSecOps -- a journey that delivers better software, sooner. These teams have embraced the "you deploy it, you secure it" mindset -- where security is not simply bolted on to the end of the development process, but integrated early and across their DevOps pipeline.
To learn more about DevSecOps initiatives in government (lessons that can also be applied to the private sector), I encourage you to listen to Leonel's session and read the GSA DevSecOps Guide shared above.
All Day DevOps 2018
The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With 5 separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations, & Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.
And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.
Hope to see you online at the show!
Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.