NIST's Ron Ross pivots to DevSecOps
Agile software and software security techniques are taking a firmer hold as agencies look for faster, better ways to provide services.
NOTE: This article first appeared on FCW.com.
Cybersecurity's move "below the waterline" of system access to the internal workings of devices is forcing a new way to look at how agencies develop more agile capabilities, said Ron Ross of the National Institute of Standards and Technology.
"We have to change the fidelity of the process" of developing devices from the very start, Ross said at an Advanced Technology Academic Research Center conference on March 10.
Ross said he thinks the shift is so important that in January, he moved from the position he's held for 17 years at NIST's Federal Information Security Modernization Act implementation project to leading NIST's effort to develop a DevSecOps framework at the organization similar to its Cybersecurity Framework.
His move came as agencies from the Departments of Veterans Affairs to Homeland Security are working DevOps techniques into their capabilities and services.
"I've been doing the FISMA stuff for 17 years now. Right now I'm transitioning to the systems security engineering side of the house," he said. That area, he said, deals with broader issues within systems' development, which has the potential to inject security into emerging devices and systems earlier in the process.
DevSecOps crosses the entire software development lifecycle, Ross said. Injecting agile capabilities into software development at federal agencies is also key to keeping up with commercial technology innovation.
"You want systems to operate like the human body," he said, developing defenses based on nimble, virtual defenses as well as built-in security capabilities.
Agencies are adapting to agile DevOps and DevSecOps for security capabilities at different speeds, according to federal agency DevOps managers at the summit.
Chakris Raungtriphop is in the process of replacing traditional waterfall development with DevOps techniques at DHS. The agency is hoping to start DevOps pilots with some of its programs in the coming months.
"The remainder of this year, we'll identify programs for transformational process. Ideally, those pilots will cover different programs of varying sizes at the agency, Raungtriphop.
Component agency programs such as U.S. Citizenship and Immigration Services systems transformation effort, as well as the efforts to transform the Federal Emergency Management Agency's grants programs modernization will inform the pilot programs, he said.
The pilots will use standard DevOps tool sets to allow the agency learn how those tools will work and can adapted across the agency's components. The pilots, he said, will play out over the next year.
VA has been transforming various services, leveraging agile techniques to bring benefits services to heel. It has used agile development for those services, said Patty Craighill, director of DevOps at the agency. VA employees, she said, have had to adapt to a DevOps mindset that includes a more tolerant attitude towards risk in exchange for faster products and services, as well as an intricate understanding of its customers.