Demand for speed and innovation is everywhere in government these days. But now more than ever, in the face of rising and sophisticated cyberattacks, governments at all levels need to prioritize cybersecurity. And according to a recent report, 48% of developers don’t have enough time to spend on security. This means teams need to figure out a way to integrate security into their application development and digital services. But this can be difficult, given that security is often perceived as a barrier to innovation.
In the past, the role of security was often isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years, but those days are long over.
Today, leading governments are working to integrate security into their DevOps practices and culture, ensuring that public sector innovation can be delivered securely – and creating an evolved approach called DevSecOps.
Briefly, DevSecOps means thinking about application and infrastructure security from the start instead of tacking it on at the end.
Managing a seamless and secure IT enterprise is no small task in today’s complex environment. For starters, your agency relies on a host of systems and applications to meet daily demands from internal and external customers – everything from online services to email to ticket services, web applications and more.
Ensuring that those systems are updated with the latest code, operating smoothly and running securely requires a joint effort across multiple teams.
But those teams’ varying priorities can clash at times.
Developers work to push code that corrects glitches, providing user enhancements and fixing software vulnerabilities. The IT operations team keeps these systems running and functional for the hundreds or thousands of people who depend on them. And equally important is the security team that must ensure the same systems are secure, up to date and compliant with federal standards.
To bridge the divide between development, operations and security teams and ensure that systems stay updated, running and secure all at the same time, agencies are investing in DevSecOps.
At its core, DevSecOps is “a cultural and engineering practice that breaks down barriers and opens collaboration between development, security and operations organizations using automation,” according to the General Services Administration’s definition.
The focus is on rapid, frequent delivery of secure infrastructure and software to production, which a growing number of agencies are prioritizing.
The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing decisions at speed and scale.
Sounds great, right? But how do you get there?
There are new, innovative technology solutions like containers, automation and cloud computing that can help your agency. But effective DevSecOps requires more than new tools — it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
This blog post is an excerpt from our new self-paced online course, “Integrating Security From End to End in Government With DevSecOps.” Learn why DevSecOps matters in government today and explore the evolution of DevSecOps.