DevSecOps Top of Mind in Aerospace and Defense Industries

A recent survey released by Lynx Software Technologies reveals widespread adoption of DevSecOps practices across the mission-critical aerospace and avionics industries, particularly those related to government and defense. This high rate of DevSecOps adoption (72% in the past two years based on responses) is being driven mostly by C-suite executives concerned about ransomware and other security threats. They also recognize the need to securely support digital transformations which will lead to more connected systems that are developed primarily through agile programming.

“Aircraft and avionics systems are becoming much more connected—whether commercial or military—and there is intense pressure from the government to accelerate adoption of AI and other new tech while shrinking down the development cycles in order to catch up with competing countries,” says Ian Ferguson, VP of Marketing at Lynx who helped formulate the survey questions. “Increasingly, what’s being articulated in Washington is about the advanced development out of China, and Russia’s plans for an electronic battlefield by 2030 with aircraft and drones connected to land-based platforms.”

Some of this is already happening in the Ukraine war. And, in a recent ShiftLeft interview, former Air Force and Space Force Chief Software Officer Nicolas M. Chaillan described how he stood up PlatformOne, a secure open-source repository to support agile development across the military branches in order to keep pace with changing battlefield operations and compete with adversary countries advancing their warfare technologies.

Lynx Software Technologies enables this type of agility by providing platform connectivity to mission-critical systems used in manned and autonomous military, aerospace, and federal systems. Lynx platforms are based on open standards through its real-time hardened operating system LynxOS, a UNIX-like developer interface named POSIX, and standards-based FAA-certified reusable software componentry. Through the acquisition of best-of-breed technologies, Lynx platforms support secure development workflows, such as static analysis and SBOM generation, as well as lifetime maintenance for IOT-based applications that could stay in operation for decades.

“We’re a software provider that for the last thirty years has been focused on military and avionics systems. Lynx is involved with Lockheed-Martin helicopters, Gray Eagle armed drones from General Atomics, and a range of systems that have to work constantly in a deterministic way,” Ferguson notes. “We go into those platforms with code coverage tools, including static analysis to fully identify the package of software that we’re delivering and to identify vulnerabilities and gaps.”

In support of these increasingly connected, safety- and mission-critical systems, 77% of the Lynx survey respondents cited the need to identify and remedy security concerns earlier in the development process as a key contributor to DevSecOps adoption. And nearly 88% of the aviation segment of respondents said their organizations have implemented DevSecOps at every stage—from development to testing, monitoring, feedback, deployment, and continuing operations.

Ongoing system support is also critical, Ferguson adds. In these industries, developers need to plan for connected systems to be around for the long-haul—so in other words, they also need to shift right to support them long after deployment. “When we talk to providers of jet engines and other airplane infrastructure, they want their systems in operation for twenty-five years or more. Developers of these systems need to take a long-term outlook on what vulnerabilities are out there. Even though they shipped a system five years ago, they need to patch and update in a controlled way.”

In the survey, 53% of respondents cited product and component recertifications as the third most common motivator to shift to DevSecOps following fear of ransomware (81%) and supporting digital transformation (71%). The survey report, What To Know About Aerospace & Defense’s Latest Security Trend, was commissioned by Lynx Software Technologies and conducted by Zogby Analytics in October. It polled over 200 IT decision makers in the aerospace, aviation, government/public sector, and military industries to analyze the state of DevSecOps in the aerospace and defense industry. 

“The good news is that these systems are connected and supporting digital transformations. But the bad news is that these critical systems are connected. So, organizations need to follow best DevSecOps practices throughout the system lifecycle,” Ferguson surmises. Fortunately, in the survey, nearly two thirds (65%) of IT decision-makers said that security remains the top priority in their development process, with 90% of C-suite respondents reporting that they view system security and safety as the top priority. 

Pro Tip: Check out GrammaTech’s CodeSonar Safety Documentation Kit for Hardening Software and adhere to avionics DO 178C safety standards

*** This is a Security Bloggers Network syndicated blog from Shift Left authored by Deb Radcliff. Read the original post at: https://shiftleft.grammatech.com/devsecops-top-of-mind-in-aerospace-and-defense-industries