Department of Defense DevSecOps Journey

by Sylvia Fronczak on March 30, 2020

Editors Note: We recently discussed why the federal government should adopt DevSecOps. Here, a look at DevSecOps efforts at the Department of Defense presented at All Day DevOps. Sign up now for the upcoming All Day DevOps | Spring Break Edition happening April 17.

The U.S. Department of Defense (DoD) has a unique DevSecOps journey, and we’ll discuss that today thanks to a presentation by Hasan Yasar and Nicolas Chaillan (@NicolasChaillan).

But first, here’s some background on the DoD.

The DoD depends on software, but it doesn’t always control development. Instead, they must maintain software written elsewhere. Difficulties arise when the entire lifecycle is out of their hands.

Why is that? Well, when comparing DoD against the private sector, the DoD starts with acquisition. They purchase software that must later be integrated with all their existing systems. Surprisingly, they have more resources than the private sector, but they end up with less productivity. Because of these limitations, there’s also less agility.

Sponsorships Available

Another result of using software developed elsewhere, they must worry about latent cyber vulnerabilities. These vulnerabilities put the DoD at risk.

Because of this ecosystem, they must work differently.

Issues the DoD Faces

So what sort of problems does DoD experience from that acquisition-based ecosystem?

First, development is a heavy waterfall process in every phase of the software development lifecycle. So when looking at the system with a DevOps perspective, things become difficult. All the timelines are extended. In fact, sometimes it takes years to identify errors in the system.

Additionally, they experience integration difficulties. The testing is all manual, and configuration changes are extensive. To add more pain, they lack parity between their dev, integration, and prod environments.