How Black Pearl and DevSecOps Revolutionized Application Development for the Navy

The DevSecOps approach to application development has gained traction across the United States Department of Defense (DoD) for its ability to expedite the application development process and deliver mission-critical capabilities to the warfighter at the pace of innovation with inherent security protocols integrated into the process from the very beginning.

But what differentiates the DevSecOps approach from traditional approaches to application development and security? And how is this change in the way applications are developed delivering benefits for the DoD?

To learn about DevSecOps and the advantages that it delivers to the military, we sat down with Manuel Gauto. Manuel is not only the Director of Engineering at Sigma Defense Systems, but was a member of the team on the prime contract that helped the Navy establish Black Pearl – the enterprise- level DevSecOps platform and service that is making the creation of new applications for the U.S. Navy fast, secure, and effective.

During our conversation, we asked Manuel about how DevSecOps has revolutionized the application development process, the tools that are making DevSecOps possible, and how the creation of Black Pearl has solved several application development challenges for the U.S. Navy.

Government Technology Insider (GTI): What is a DevSecOps approach to application development? What makes this different from other app development models?

Manuel Gauto: There are multiple disciplines and stages within the application development lifecycle. At the most basic, fundamental level, the DevSecOps approach to application development integrates these different disciplines together.

In the past, application development involved a “waterfall” approach with different phases done in succession. However, this slowed down development, because lessons learned in later stages didn’t make it back to earlier stages until after they were completed.

Problems that were identified in security testing and audits, or in the operations and deployment process, weren’t identified during development. So, those problems would have to be brought back to the software developers to fix. Then the process would start again.

DevSecOps involves all these processes being done continuously across the entire software development lifecycle. This makes it possible to identify security vulnerabilities much earlier in the process, remediate them, and quickly respond to feedback.

Manuel Gauto

GTI: What benefits does it deliver over the old waterfall approach to app development?

Manuel Gauto: It boils down to accuracy, responsiveness, and velocity.

It has been proven that human beings are really bad at coming up with every requirement up front. As we’re identifying requirements, we’ll invariably forget something, or we’ll over engineer something. Ultimately, the requirements aren’t always in line with the need they’re addressing.

DevSecOps increases the responsiveness of application development teams and makes it so that they don’t have to go through some big iteration. Instead of a monumental, monolithic iteration that takes a long time to complete, and then fails, we can iterate on an application. This enables development teams to fail fast and make changes quickly.

Also, if we don’t have to wait to have perfect requirements, we can start building today. This accelerates the entire process and gets mission-critical applications into the hands of users more quickly. We also learn lessons earlier because sometimes things do not come together like we expect.

GTI: Why is it important that the military be able to develop applications more quickly?

Manuel Gauto: The stakes are higher in the military. The applications they develop can be the difference between life and death for warfighters. Historically, the stakes and the importance of the applications the military was developing justified over engineering the solution. An immense amount of time would be spent on identifying requirements and developing a solution that worked right the first time.

However, things happen much more quickly now. If an adversary uses a new encryption algorithm and we can no longer break into their comms, the military can’t start a lengthy, elongated engineering process to fix that. If a software solution or application has a defect that risks warfighter lives, we can’t have a months-long development window to eliminate that defect.

The new rapid pace and evolving nature of warfare means that the military needs to accelerate application development. The military can no longer deliberate on the requirements and over engineer the solution. Today, it’s better to get something out and have it fail safely in the field and then rapidly iterate on that application to make it meet the requirements. DevSecOps enables that because it enables us to iterate on applications and respond more quickly.

GTI: What types of tools and platforms are necessary for DevSecOps?

Manuel Gauto: I personally believe that tools are secondary to process and buy-in across the organization. However, the DevSecOps space has matured significantly in terms of tooling and what is available to application developers.

I will say that today’s application developers need a central source code repository. They need some sort of CI/CD (Continuous Integration and Continuous Delivery) orchestration system. They need tools that provide insight into the state of their code and their system. They should adopt static code analyzers, dynamic code analyzers, container scanners, and other tools that can analyze the different parts of the system. And any platform or solution that can deliver multiple of these capabilities is helpful.

Within Sigma Defense Systems, we’ve had excellent experiences using GitLab’s solution. GitLab integrates a number of these different tools, functions, and capabilities for us. Platforms like GitLab provide a turnkey baseline of tools that can enable an organization to focus on changing its culture and approach to development.

That being said, new tools and solutions are always coming to market. This is why we’re constantly analyzing new tools and solutions – looking for best-of-breed tools – that we can adopt for Black Pearl and other efforts. We’ve already swapped our container analyzer out twice. We’ve added more static code analyzers. The market is changing so often that it’s important not to fall in love with any one tool and constantly evaluate new solutions in the marketplace.

GTI: What is Black Pearl? Why did the Navy authorize the creation of Black Pearl?

Manuel Gauto: I would describe Black Pearl as a software development enablement organization. There are a few different products offered by Black Pearl, but the most popular – by far – is Black Pearl Party Barge.

Party Barge is the common development environment that enables people to quickly stand up software factories. Which is ultimately what started Black Pearl from the beginning.

The U.S. Navy had been dealing with software factory sprawl where software factories were spinning up across the Navy. While that’s not necessarily a bad thing, it did create a problem because there was a duplication in infrastructure and investment. The Navy had multiple cloud environments and multiple development environments. Black Pearl was created to help eliminate this duplication of infrastructure.

Black Pearl Party Barge provides an environment for any new software factory that wants to stand up, build, develop, and get on-boarded quickly, without needing to reinvent the wheel or create new infrastructure that already exists.

GTI: What role did Sigma Defense play in the creation of Black Pearl?

Manuel Gauto: Fundamentally, we are the prime contractor behind Black Pearl.

We were approached by three different organizations within the Navy to build the same DevSecOps platform. Instead of building that platform three times in three different places, we recommended to the Navy to build it once, as an enterprise-level service that could be leveraged across the organization.

GTI: How does Black Pearl help accelerate the ATO process and get applications to Navy personnel more quickly and efficiently?

Manuel Gauto: There are a couple of things that Black Pearl does on the ATO front. First, Black Pearl provides a pre-authorized environment to develop applications. Also, it’s available online, which makes it completely accessible to anyone who wants to develop applications on behalf of the U.S. Navy.

Finally, we’re working to develop an end-to-end cloud software factory that will have the first true continuous authority to operate for applications deployed to the cloud. Using this software factory, a developer who wants to build an application can onboard into Black Pearl, do their development, build within a set of prescribed parameters from the Black Pearl team, and have continuous authorization to operate in the end – as long as their application meets those parameters.

Today, Black Pearl is accredited to Impact Level 5, but we’re in the process of getting Black Pearl authorized and accredited to the secret level.

GTI: Can you provide examples of applications built with Black Pearl?

Manuel Gauto: The Aegis weapons system – the crown jewel of the Navy’s ballistic missile defense system – has a software factory called Forge. That software factory is built upon the Black Pearl platform. Black Pearl is being used in the effort to modernize the Aegis weapons system.

Also, the Navy’s Rapid Autonomy and Innovation Lab (RAIL) is leveraging Black Pearl for its work. That organization is currently leading the development of autonomous software for underwater, surface, and air autonomous vehicles.

Finally, I can say that there are multiple battle management aids that are currently being developed within the Navy with the use of Black Pearl’s offerings.