Novetta teams use Agile methods to rapidly write software, but this burst in productivity is hard to sustain during testing and deployment. DevSecOps practices weave together the needs of software development, information security, and system operations so we can release secure software quickly, reliably, and repeatedly.

The Problem

In the ancient days (when respected coders were called gurus rather than rockstars), the software development lifecycle followed a waterfall pattern. Software flowed downhill over months or years through clearly-delineated phases of responsibility: requirements, design, development, testing, deployment, and operations. Monolithic projects had the agility of a rudderless ship, and were often too expensive, too late, or strayed too far from the original requirements.

With a switch to Agile methodologies (like Agile Scrum or the Scaled Agile Framework), software visibly improves every few weeks and our engineers can easily course-correct when requirements evolve. The desired outcome is that faster changes should have more mission impact. While great in theory, there are clear limitations:

• Throughput: as development accelerates, the resources needed to test and deploy become the bottlenecks. The ability to create a software enhancement in an hour is irrelevant if it still takes a week to test it and deliver it to the end users.
• Security: while Facebook’s Agile catchphrase, “Move fast and break things”, works well in Silicon Valley startups, it’s the antithesis of the national security missions that Novetta supports. Our software cannot afford the risk of crashing during a critical operational window or subtle bugs that a malicious actor could exploit.

The Solution

DevSecOps is all about taking software that’s ready for release and deploying it in the safest, most reliable manner possible. At Novetta, our project teams employ Agile and DevSecOps together to accelerate the entire software lifecycle for diverse, urgent missions involving advanced analytics, cyber operations, and machine learning (MLOps).

Following our previous investment in a Machine Learning Center of Excellence (COE), which has accelerated innovation for our customers’ artificial intelligence requirements, we established a DevSecOps Center of Excellence. The COE synthesizes unique approaches from Novetta project teams, promotes best practices, and accelerates the onboarding of new projects with DevSecOps templates and tooling. This investment directly benefits our customers by enabling Novetta to build highly portable, scalable and reusable solutions even faster.

The COE’s ongoing work confirms that the unique requirements of successful DevSecOps adoption align well with Novetta’s culture of innovation and creative engineers.

For starters, DevSecOps requires a culture of collaboration where everyone has a shared sense of ownership in the final software. Agile on its own doesn’t change the fact that developers, testers, security officers, and system administrators each have different metrics for success. When developers are judged by how many features they release but testers are judged by how many bugs they find, it’s easy for more traditional teams to fall into a culture of blame instead of ownership. Our experience at Novetta is that small teams of generalists with cross-functional skillsets perform better than specialists obeying traditional team divisions. We eliminate the potential for conflict by emphasizing a shared understanding of the requirements, collaborative development, and egoless code reviews (focused on improving the code, not critiquing the coder).

DevSecOps also demands a voracious adoption of automation. There are immovable limits for efficiency when a human is involved, so anything that can be scripted should be. Over time, our Quality Assurance teams have evolved from traditional website clickers to automation engineers that can explore the entire application and perform security scans in seconds. We automate software builds and version-control server configurations so we can spin up new test environments with the push of a button on cost-efficient cloud infrastructure. We use containerization to standardize deployments across network enclaves at varying security levels. Containerization lets us bundle applications with specific versions of required code libraries, rather than trying to install and maintain hundreds of dependencies manually.

Projects that use DevSecOpscan be represented through three maturity levels. With Continuous Integration (CI), every change a developer makes is automatically compiled and tested. With Continuous Delivery (CD), any change can automatically be released to end users without manual steps. Novetta DevSecOps engineers have designed, developed, and operated CI / CD pipelines for software delivery across the company to deploy more consistently and minimize downtime during patches and upgrades. The third level, Continuous Deployment, describes the ability for every tested change to go live immediately — this is more common for commercial software where operational security is not paramount.

Academic research suggests the existence of a fourth DevSecOps level, “Continuous Continuity,” where every whim of the customer automatically appears in the software.

Success Story

Compartmented Cloud Services: Novetta’s DevSecOps practices allowed us to expedite the creation and accreditation of a highly secure Platform-as-a-Service (PaaS) offering, taking the program from proof-of-concept to Authority-to-Operate (ATO) in less than a year. Our work in this area gave us experience to win a spot on the Air Force’s PlatformOne Basic Ordering Agreement (BOA) and two significant task orders.