Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

DevSecOps Isn’t Just a Buzzword

DevSecOps may be the latest term but the idea behind it remains constant: Security should be a priority from the start of development.

By Julianne Simpson
Katie Arrington, chief information security officer for Acquisition and Sustainment, U.S. Department of Defense, says there’s no point in developing software if it’s not secure, during a webinar on securing the federal software supply chain.
Katie Arrington, chief information security officer for Acquisition and Sustainment, U.S. Department of Defense, says there’s no point in developing software if it’s not secure, during a webinar on securing the federal software supply chain.
Derek Weeks, vice president of Sonatype, says some people will think DevSecOps is just a buzzword.
Derek Weeks, vice president of Sonatype, says some people will think DevSecOps is just a buzzword.

Anyone moving through the ecosystem of software development and cyber over the last few decades has heard cool words to describe it: Waterfall, Cobalt, Agile, DevOps and now DevSecOps.

DevSecOps may be the latest term but the idea behind it remains constant: Security should be a priority from the start.

“The bottom line is, up front, on all of this, we’re trying to ensure that security is baked in at every single iteration, “ said Katie Arrington, chief information security officer for Acquisition and Sustainment, U.S. Department of Defense, during a webinar titled An Imminent Need to Secure the Federal Software Supply Chain.

“Culturally, [DevSecOps] did start off as a buzzword,” Arrington added. When the community moved from Agile to DevOps and then DevSecOps people were confused about what the difference was, said Arrington. But in order to move forward, developers need to think about long-term sustainability.

“If we don’t start to really emphasize DevSecOps, as we go forward and build on the good work that’s been done, we’ll never see the actual return on investment in the lifecycle that we need,” she stated. “We’ve got to get that workforce, that culture, around it to say, it’s not a buzzword, it’s really a thing. It’s putting security at the foundational level. There’s no point in developing software if it’s not secure,” Arrington emphasized.

Derek Weeks, vice president of Sonatype, which sponsored the webinar, shared similar sentiments about the difficulty in talking about a new style of development practice or methodology.

“Some people can say it’s just a buzzword or do I really need to do this?” said Weeks. But he believes federal agencies moved past this idea three or four years ago.

He shared two reasons for why DevSecOps has now come into play. “High level they are delivering more value to our stakeholders, faster,” Weeks said. And second, “we have adversaries that are trying to attack us and successfully breach us. If we can’t move faster than the adversaries, our technology supply chains and infrastructure are at risk,” he added.

Indeed, Arrington shared that “DOD has worked with Congress really intensely to work on software acquisition pathways, which I think are key to enabling DevSecOps success within the DOD,” she said.

Because DevSecOps does not necessarily fit into a standard acquisition, the Defense Department created the Adaptive Acquisition Framework and Congress approved it “so that we can get the right resources, at the right time with the right type of funding that doesn’t expire. I think we’ve made a big step forward,” Arrington said.

To watch the full webinar on demand, register here.

Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA