Eight Considerations for Building an Effective DevSecOps Platform

For the United States military, getting new applications to the warfighter at the speed of combat operations is not just important – it’s mission critical. We’ve seen numerous instances of software being updated quickly to meet mission requirements, and then having a massive impact on mission success.

For example, two applications leveraged by the Air Force during the military evacuation of Kabul’s Hamid Karzai International Airport, C2IMERA and Slapshot, were instrumental in providing situational awareness and streamlining operations. These applications were developed by Kessel Run and were being rapidly iterated and improved to address the feedback of soldiers on the ground. According to Staff Sgt. Gabriel Stines, the Slapshot tech lead with Kessel Run, these applications were quickly upgraded to meet the needs of the operation and help to save lives. Iterating on applications and releasing them to the warfighter quickly isn’t new for the organization. It’s actually something they practice.

“Making a code change and releasing it in less than a day is something that we practice often,” Sgt. Stines explained to the GovDevSecOpsHub. “Our path to production is always open, and we’re able to deliver operational capabilities as soon as the need is identified.”

But it takes more than just practice to develop and deploy software applications at the pace that military operations require. Developing and deploying at speed also requires seamless coordination across multiple software factories. To enable this coordination, the U.S. Department of Defense (DoD) has set clear directives for establishing a department-wide software factory ecosystem that leverages the military’s existing investments.

By utilizing these enterprise-level services – or DevSecOps platforms – instead of creating unique services, the disparate software factories and development organizations across the DoD can more effectively share code, use a common set of tools, and significantly accelerate security approvals for all software developed within that ecosystem.

For example, the enterprise-level service established by Sigma Defense Systems on behalf of the U.S. Navy is called Black Pearl. The foundation for a software factory ecosystem, Black Pearl provides reusable pipeline components and tools to all developers operating within the ecosystem. And it supports both classified and unclassified environments, providing turnkey compliance and security for all levels.

Black Pearl allows the software factories and software development teams across the Navy to rapidly stand up development pipelines to quickly create new applications and continuously modify code in response to changing needs and priorities. All this is done within a secure environment that breaks down silos and unifies software development, deployment, security, and operations. When built effectively, an enterprise-level service or DevSecOps platform can deliver a number of benefits for the agency or organization, including:

  • Authority to Operate: DevSecOps teams can spend months getting Authority to Operate (ATO) approval for software systems—time that could be better spent developing the software. When constantly being updated and evolved with the latest and most advanced tools and solutions, enterprise-level services and DevSecOps platforms can shorten development timelines by enabling a continuous ATO (cATO).
  • A shared DevSecOps environment: An enterprise-level DevSecOps platform is a common software environment that provides commoditized DevSecOps tooling and pipeline component templates, integration infrastructure, and compute. Together, these enable fast, cost-effective standup of software factories within a common ecosystem.
  • Easy access by developers: Internet-accessible development platforms eliminate the need to connect to a government network or route through a VPN during development.
  • Easier collaboration: The use of a common platform enables multiple software factories to use the same tools – allowing for collaboration and easy code sharing.
  • Built-in security and compliance: Instead of starting from scratch with security and accreditation, enterprise-level DevSecOps platforms have done the work ahead of time. All available resources will be current, secure, and available.

But what should a military organization or government agency be looking for when developing its own enterprise-level DevSecOps platform? Here are eight considerations that were a priority for Sigma Defense Systems when developing Black Pearl on behalf of the U.S. Navy:

  • Flexibility: No process or Software Factory can support all mission profiles. Black Pearl Party Barge was designed to enable the stand-up of mission-specific Software Factories without needing to deploy duplicative infrastructure. It is not meant to enforce a prescriptive process.
  • Options for classified and unclassified environments: No platform is one-size-fits-all, especially with the relative sensitivity of applications and data.
  • Ability to bring your own tools: Developers often use a variety of small tools in support of their process. Black Pearl was designed to enable users to quickly bring many of their own tools into the environment without intervention from the Black Pearl team.
  • Accessibility: Not all users within the DoD community are working on government networks. Accessibility over the internet by a wide variety of users was a key consideration for Black Pearl.
  • Run-time security and enforcement: Look for top-level security functions that guard against a range of vulnerabilities, including double encryption at higher impact levels. If a vulnerability is suspected, the platform should immediately quarantine it and notify the platform owner.
  • Standard interfaces: Choose a platform that is designed to cleanly interface with the rest of the DoD Software Ecosystem.
  • High-fidelity integration testing: Look for a platform that has built-in integration testing environments and can host high-fidelity, mission-specific integration environments.
  • A proven platform with a good pedigree: Platforms with real success and experienced engineers demonstrate reliability and create less risk.

The author, Manuel Gauto, is a Director of Engineering at Sigma Defense Systems, and the Chief Engineer for Black Pearl, the Department of the Navy’s software factory and development pipeline.