Original Broadcast 7/16/23
Presented by Carahsoft
By Francis Rose
Recently, I spent the day at the Carahsoft DevSecOps conference talking with industry leaders on the future of DevSecOps in the government market. We discussed several topics regarding the future of the discipline including security, scalability, acquisition, compliance, risk, and value. Below you will find some of my key takeaways from these conversations.
Bridging the Gap for Comprehensive Security: A recurring theme among industry experts is the imperative to bridge the gap between development, operations, and security teams. This involves fostering enhanced collaboration and a shared understanding of security vulnerabilities. One challenge identified is the lack of visibility into runtime security data for developers. Addressing this blind spot becomes crucial to ensuring a comprehensive security approach.
Cultural Transformation: With the shift from traditional static data centers to dynamic cloud infrastructures, a cultural transformation is deemed essential. Industry leaders emphasize the significance of embracing a shared responsibility model across stakeholders. This includes infrastructure providers, application teams, and end users. The cultural shift is pivotal in achieving seamless collaboration and efficient DevSecOps adoption.
Agility and Innovation: The evolution of DevSecOps mirrors a broader trend towards agility and innovation in government software development practices. A move from traditional waterfall approaches to agile methodologies, coupled with the integration of software factories within government agencies, enables swifter, more secure software delivery. Such adaptations are vital to keep up with the rapid pace of modern threats posed by agile adversaries.
Managing the Software Supply Chain: Software supply chain risk management is rapidly gaining prominence. Experts highlight the necessity of a comprehensive understanding and management of third-party components. Software Bill of Materials (SBOMs) are hailed as indispensable tools for identifying, remediating, and managing potential risks associated with third-party software.
Automation and AI Integration: Automation emerges as a cornerstone of DevSecOps’ future. It not only expedites vulnerability detection but also facilitates real-time resolution. The potential role of artificial intelligence (AI) and machine learning in optimizing DevSecOps processes is underscored, promising advancements in both security and efficiency.
Education and Collaboration: Acknowledging the need for education and mutual understanding, industry leaders stress enhanced collaboration, dialogue, and shared learning between government agencies and industry partners. Effective collaboration is pivotal in navigating the complexities of DevSecOps adoption. This alignment on priorities, methodologies, and risk mitigation strategies is vital for mutual success.
Holistic Approach to Security: DevSecOps transcends being a mere collection of tools and practices. It represents a holistic approach to security that spans the entire software development lifecycle. The integration of security considerations at every development stage is pivotal, shifting away from treating security as an afterthought.
The future of DevSecOps within the government sector is a dynamic landscape characterized by collaboration, cultural transformation, automation, and the comprehensive integration of security throughout the software development lifecycle. As government agencies strive for greater agility, security, and innovation, industry partners play a pivotal role in offering solutions, expertise, and resources aligned with these aspirations. Addressing the challenges and capitalizing on opportunities necessitates concerted efforts to adapt, educate, and collaborate effectively. This joint endeavor shapes the trajectory of secure and efficient software delivery in the public sector.
Viewpoints from industry leaders:
Michelle Davis, Director Public Sector Solution Engineering – Red Hat
Dan Fedick, Sr. Solutions Engineer – HashiCorp
John Gozzi, Director Public Sector Solution Engineering -VMware Tanzu
James Hostelley, Principal Sales Engineer – ForgeRock
Chris Hurlbutt, Sales DoD – Palo Alto Networks
Brian Kroger, Founder & CEO – Rise8
Larry Maccherone, Dev[Sec]Ops Transformation Architect – Contrast Security
Sara Mazer, Federal CTO – LaunchDarkly
Nick Mistry, SVP, Chief Information Security Officer (CISO)- Lineaje
Al Nieves, Vice President Federal Sales, Aqua Security
Coty Rosenblath, CTO -Katalon
TJ Rowe, VP Sales, Second Front Systems
Jay Ryan,U.S. Federal Program Manager – Security Compass
Matt Schmidt, Sales Director, US Public Sector – Kasten by Veeam
Ben Straub, Head of Public Sector Sales – Atlassian
George Teas, VP of Solutions Architecture – Elastic
Johnny Wong, Senior Director of Solutions Architecture – Veracode
Michael Wright, Senior Director, Federal – CloudBees