Delivering Faster, More Secure Software to the Navy: Insights from Anchore

Delivering Faster, More Secure Software to the Navy: Insights from Anchore

The evolution of modern warfare is accelerating at exponential rates. To keep pace with the evolving tactics of our adversaries and ensure operational success, the U.S. military must be able to leverage rapid software development pipelines to deploy secure, mission-critical applications to the battlespace.

An integral component of software development is the inherent security measures and protections that must be baked into any application that is deployed in the field. That is where DevSecOps comes into play. A DevSecOps approach to application development infuses continuous security testing and auditing throughout the entire software lifecycle. This allows risks and vulnerabilities to be identified and remedied much earlier in the development process, eliminating the opportunity for adversaries to exploit them.

Employing a DevSecOps approach to military applications allows development teams to fail fast and remediate quickly, which ultimately cuts down long lead times to deployment and ensures faster delivery of critical software into the hands of the warfighter.

During the recent online event, “A Tale of Scale and Speed: How the U.S. Navy is Enabling Software Delivery from Lab to Fleet,” representatives from Anchore and Sigma Defense examined how the Navy is strengthening its software development pipelines by removing the heavy lift of manual security compliance, by leveraging the Black Pearl platform in conjunction with Anchore.

Black Pearl: Software Factory? Or Factory Enabler?

Black Pearl is a software development enablement organization that was developed – in partnership with Sigma Defense and the U.S. Department of Defense – in response to the U.S. Navy experiencing a software factory sprawl. Before Black Pearl, the Navy had several software development environments running simultaneously which had resulted in both infrastructure and investment duplication. Black Pearl’s purpose was to eliminate duplicative efforts and streamline the process of production across the entire Navy.

According to Christopher Rennie, Product Growth Lead and Solution Architect at Sigma Defense, it is important to note that Black Pearl is technically not a software factory by with respect to the traditional definition of the term by the Department of Defense. “We want to make the differentiation that we’re not quite a software factory just yet, because software factories include a production capability. What [Black Pearl] provides is a managed path to production on a proven DevSecOps platform that’s based upon infrastructure-as-code, configuration-as-code, and automation that’s baked in.”

Josiah Ritchie, DevSecOps Staff Engineer at Sigma Defense, echoed Rennie’s sentiment about the Black Pearl platform’s enabling capabilities. “We’re a factory that helps you build a software factory,” he said. “There’s no limitation on what tools you can bring in to do this kind of work.”

Black Pearl also provides professional services, such as mentoring, capability integration, the onboarding of additional software, and general DevSecOps expertise. Through Black Pearl’s offshoot programs like Party Barge and Lighthouse, the Navy is now leveraging that DevSecOps expertise to support collaboration across the development and security teams, provide hosting capabilities, and automate a majority of its development processes. “We can provide that mentoring so [the Navy] can hit that ground running,” said Rennie.

Eliminating the Heavy Lift

One of the major advantages of deploying Black Pearl solutions for application development is that all of the logging, metrics, cybersecurity, runtime security, and cluster compliance requirements are baked into the platform.

“We’ve taken care of all the hard work for you,” explained Rennie. “We take care of the boring stuff…We set you up and make sure that you have all of that governance in place, so that you’re not releasing software before it’s ready…So the question is do you want to do it yourself or adopt Black Pearl?” 

Rennie explained that standing up a DevSecOps platform on one’s own can take up to six months for an organization to complete. “But for us, we’re already in place to where we can get you up and running in a matter of days,” he said. “In fact, we have addressed 80 percent of most security controls, so we can help you get your application accredited… You can avoid all of the boring stuff and just get down to what everyone does well, which is write code.”

Adding Value to the Mission

The end goal of programs like Black Pearl is to develop software that adds value to the end users in the Navy who are executing a mission. Black Pearl is a DevSecOps Platform as-a-Service (PaaS) dedicated to standing up software factories with ease, and Anchore is a tool beneath that platform umbrella specifically focused on the security compliance aspects of the software development process.

Anchore is a software supply chain security platform for cloud-native applications that integrates directly into the DevSecOps workflow at source, build, stage, and production to prevent security vulnerabilities from being exploited.

Before pushing software applications live, there are numerous security benchmarks and checkpoints that must be reviewed, audited, and approved by authorizing officials (AOs). This is where Anchore plays a crucial role, by providing developers with the set of artifacts that will need to be handed over to an AO for review.

“The goal here is that within those pipelines, every time you’re building a new version of your software, you’re generating these artifacts,” explained Connor Wynveen, Principal Solutions Engineer at Anchore. “[Anchore will generate] a software bill of materials (SBOM) that inventories everything that’s in your application, execute a vulnerability scan to make sure you’re looking good from a vulnerability stance, as well as carry out a policy scan.”

Wynveen explained that Anchore removes the tedious, time-consuming hassle that is usually required when ensuring that software and applications adhere to the applicable FedRAMP policies, RMF (Risk Management Framework), CIS benchmarks, DISA standards, and NIST controls that may be required. “[Anchore] provides the evidence that your application is hitting the mark for all of the NIST controls that you own as an application developer,” he said. “You want those artifacts to be tight when you hand them over to an authorizing official, so it doesn’t delay the process of ultimately delivering that software to your target users.”

And that is the goal for programs like Black Pearl and Anchore, to deliver mission-critical applications and software to the warfighters and stay one step ahead of the threat. As Sigma Defense’s Director of Engineering, Manuel Gauto, articulated in a recent interview with Government Technology Insider, application development can be a matter of life and death for the warfighter, and there is no time to waste on manual processes that can easily be eliminated with today’s emerging software development solutions.

“Historically, the stakes and the importance of the applications the military was developing justified overengineering the solution,” said Gauto. “An immense amount of time would be spent on identifying requirements and developing a solution that worked right the first time. The new rapid pace and evolving nature of warfare means that the military needs to accelerate application development…and can no longer deliberate on the requirements and overengineer the solution…DevSecOps enables that because it enables us to iterate on applications and respond more quickly.”