Leaning into Rapid Software Development with DevSecOps

June 16, 2022

The Big Picture

Software factories will be pivotal to the operational performance of the Air Force in the over-the-horizon future and DevSecOps offers a new potential to increase agility and shorten release timelines, improve reliability and lower costs for building secure software applications. Exploiting open-source frameworks and languages for quick-starts, DevSecOps represents a modular, adaptive, and flexible approach to software development which holds the key to making better code, faster. Allowing the Air Force to deploy capabilities more quickly, embrace and learn better from fail-fast approaches and build stronger software products, DevSecOps will be vital for effective warfighting in the future battlespaces anticipated by the Air Force. Cultivating ecosystems to allow digital innovation to occur will however need traditional ways of working to change if the Air Force is to become capable of building, acquiring and delivering software at speed.

Software and Warfighting

Software is indispensable for integrating sensors and shooters from the ground up to space and defines the vast majority of mission critical capabilities today for the Air Force and sister services at large. With mission performance increasingly impacted by the ability to develop and deploy software faster than the next operational threat, there is a decisive advantage to be gained for the Air Force if it can lean into rapid software development to generate customized, on-demand solutions to warfighter needs. Despite the advantages it can unlock in an era of accelerating digitization and automation, building enterprise software quickly and securely remains a complex endeavor. For best results, teams of agile development experts must be matched with the supporting infrastructure, laboratory environment and product development frameworks that do not fit easily into traditional organizational structure and ways of working for military services.

The challenge of building custom enterprise software in the defense context is compounded by security criteria which drive compartmentalization and rigid environmental controls. Traditional barriers to software development at large have related to inclinations of military users to demand bespoke solutions even when requirements across a user or enterprise community justify common approaches and shared solutions. Instead, focusing on proprietary solutions developed using closed frameworks, military users have opted for products that are more time-intensive to develop, test, deploy and upgrade, requiring custom code and repetitive processes carried out by different teams across the software product lifecycle. There is now a realization that creating robust, scalable, and secure software that can quickly be deployed and enhanced to support constantly changing operational requirements with agility is pivotal to fighting and winning in the future battlespace.

Building Better Code, Faster

To succeed, the Air Force’s enterprise software services must become vendor agnostic and embrace agile and open frameworks for development. To make better software products faster, approaches that can breakdown stovepipes and silos in the way of information-sharing and, crucially, deeper collaboration occurring across developer and user communities are necessary. DevSecOps is a methodology combining software development and IT operations for the rapid creation, deployment and use of digital applications. With developers and users working side by side to create and test new software, make improvements and push out upgrades quickly, the lifecycle stages of DevSecOps framework – Design/Plan; Build; Test/Verify; Release; Deploy, and; Monitor/Runtime – address traditional disconnects between software development, operations and security for military enterprises such as the Air Force.

By condensing the timelines between warfighters and users providing feedback to developer teams and capitalizing on common code whenever possible, the ability of development teams to turnaround and push out incremental improvements more quickly is tremendously enhanced. Making a high percentage of code shareable for developers contrasts with programs in recent years where proprietary software has been developed from scratch, but can deliver products more rapidly and at lower cost without compromising high performance attributes. DevSecOps also draws in cybersecurity thinking and practices into the design and development phase itself and security is therefore built-in from the beginning and continuously improved throughout the development cycle rather than visited at later stages of product development.

‘Baking in’ zero-trust security from the first source code enables a more advanced risk posture and frees software development teams to be more experimentative in product development as well as being able to release software faster. Removing the need for lengthy security sign-offs, DevSecOps offers a way to make possible continuous delivery with comprehensive security which provides that basis for a continuous authority to operate (cATO). Allowing for a vast amount of automation to be built into the product development process, together with ‘containerization,’ which resolves the challenge of getting software to run reliably as it is moved across different computing environments, developer teams using DevSecOps can create and deploy more secure, more dynamic applications faster.

Disclaimer and Notices

Any opinions expressed on or through this blog are the opinions of the individual author and may not necessarily reflect the opinions of SPPS, the organization(s) the author belongs to or is affiliated with, their clients or any government entity.

The materials and information on this blog have been prepared or assembled by SPPS and, where mentioned, in association with partners, and are intended for informational purposes only. You may view, copy, download, print or share this material for personal, non-commercial, and informational purposes as long as you do not modify the contents therein. Unless authorized, none of the materials may be copied, reproduced, distributed, downloaded, displayed or transmitted in any form or by any means for any commercial purposes without the prior written permission of SPPS (email operations@spps.ae for inquiries and permissions).

Any information provided in this blog is provided on an “as is” basis without liability of any kind, either express or implied, including without limitation, fitness for a particular purpose, or non-infringement. SPPS may periodically add, change, improve and update the information and documents on this blog. SPPS assumes no liability or responsibility for any errors or omissions in the content of this blog.