The National Institute of Standards and Technology is exploring development of DevSecOps guidance for agencies that would normalize the concept of moving security “left,” back into the software development life cycle.
NIST is currently gathering information on products developed using DevSecOps, an organizational philosophy that combines agile software development, security testing and tools for rapid delivery of applications and services.
Eventually that information will be refined into a DevSecOps framework, said Ron Ross, a NIST fellow. The goal is a final product that is not so prescriptive as to limit agencies’ implementation and innovation, he said.
“To me the biggest benefit that the feds will see out of this is that it’s going to give them better transparency into the products that they’re buying and the systems they’re building because, right now, a lot of that complexity is really beyond their reach,” Ross told FedScoop. “They know the controls they need to implement, but a lot of that stuff is done in industry.”
Agencies remain largely in a “waterfall” mindset where, at the end of software development, there’s a “Big Bang” authorization process that comes too late, he added.
“Great concept, but at its core it’s talking about agility and getting the right people that own a part of the delivery life cycle together,” Kent said. “As we look into the next decade, we have to continue to do that with our mission and business teams, as well as the constituents that we’re serving.”
Changing the way agencies have done business for the last 40 years won’t happen overnight, Ross said.
Ross noted how industry and government developed the chief information security officer (CISO) role under the CIO to handle security problems, which effectively isolated security from enterprise architecture, systems engineering, acquisition and software development.
“If you do good software development, most of our security problems will go away because all of the nagging vulnerabilities that we see in software — a lot of those are attributed to people not using secure coding techniques and things we should be doing,” Ross said during a panel discussion at the summit.
Most of agencies’ digital security controls are buried deep within system stacks, making it hard for officials to determine if they’re operating properly. Agile software development embeds testing and evaluation into the life cycle, producing a body of evidence agencies can use to make “credible, risk-based decisions in a very complicated systems environment,” Ross said.