Clockwork is the pinnacle of efficiency – and for good reason. Beneath a numbered time-telling face, an orchestra of mechanics meticulously counts milliseconds, the result of an apparatus of gears that wheel in synchronized motion.
Though it would be a flattering label, government processes traditionally have not even vaguely resembled clockwork. Rather, they’re far more similar to an echoed call: “Does anyone know what time it is?”
It’s time for government to get a watch. Now that threats increasingly strike a widening array of systems, government needs to conduct its operations, development and security as an ensemble of efficiency.
“Paramount to a successful Agile project and a successful DevOps team is collaboration,” said Kevin Portanova, former IT Director of the Real Estate Assessment Center (REAC) at the Housing and Urban Development Department (HUD). Portanova spoke on a recent GovLoop training about IT development with Cindy Blake, Senior Security Evangelist at GitLab.
At REAC, which is responsible for governance of HUD’s subsidized portfolio of properties and rentals, Portanova oversaw and led an IT transition from contracting to in-house development and operations. While REAC gained more direction and control, the transition also thrust the center into the unknown – with a torrent of applications and processes that needed attention.
The IT team knew that to keep pace with demands, it needed to embrace Agile, which is a methodology that emphasizes cross-team collaboration and continuity. And when taking over the development and maintenance of software, the team turned to DevOps – an approach that involves development and operations at the start – as opposed to a linear handoff from development to operations.
REAC’s DevOps process started small, as a team of two developers and one operations personnel pioneered a new application to process a popular HUD form. In a few months of work, the team developed and deployed the product ready to go, already having embedded security into the process
Immediately, REAC saw gains – totaling a 91% increase in efficiency. The form’s processing time dropped from two weeks to two days, and as a result, DevOps gained momentum at REAC.
“There’s a lot more collaboration,” Portanova said. “I mentioned we set up a DevOps team. I think what we learned over time is DevOps is a verb, not a noun.”
The inner workings of DevOps can amplify efficiency for agencies, saving them time and costs as teams have fewer errors to correct and more projects they can complete. However, security – often considered a barrier to speed – can still send projects back to their starting point when not considered on the front end.
Blake, who had worked in both IT and security before coming to DevOps company GitLab, said that security systems in many government agencies have been in place since well before the DevOps revolution. With development and security tools designed for linear development, security teams often have to manually run checks on a variety of systems and constantly keep their eyes on possible vulnerabilities.
“Security testing was traditionally built for a waterfall environment,” Blake said, referring to a development process in which finalized products are sent to operations and security for revision and the process continues in rounds of edits.
Governments always assume risk in their applications, but the nature of the public sector is to be risk-averse with the sensitive data and dollars of citizens. That reluctance to take on risk can bottleneck even the efficiencies of DevOps processes because faster development means nothing if it hits a brick wall of security at the end.
But by embracing DevSecOps, a slight variation of DevOps with security also integrated into development and operations teams, efficiency is put on the fast track. Modern tools have the ability to run automated security tests across systems in DevSecOps, allowing for development teams to catch flaws in their own code before sending it down the pipeline of production.
With these tools in place, security teams can focus more on patching and troubleshooting, shielded from the bombardment of applications in nascent stages of development. Development and operations teams can also release more projects because they don’t have to wait on backed-up security workflows.
The result is that systems are safer and prepared for modern environments of open source and APIs, and teams can collaborate to deploy more applications.
“ [Employees] can be infinitely more efficient,” Blake said.
REAC has gone on to embrace automated testing to foster continuous integration and continuous delivery. The decision has helped REAC cut out waste and inefficiency.
As REAC’s DevOps teams have gone from two to five developers and a tech lead – with seven to 10 additional support staff – Portanova has realized that it’s still an “endless uphill battle” against time and demands, even with DevSecOps soundly in place.
But considering the efficiency and collaboration gains, he’d do it all again. And he will, as he settles into his new position at the National Oceanic and Atmospheric Administration with an Agile approach in mind.
This online training was brought to you by: