Secure the software supply chain by modernizing legacy systems
September 08, 2022
Now more than ever, federal agencies within the US Department of Defense (DoD) must develop software capabilities that are compatible with existing technology while maintaining and meeting stringent security requirements that protect proprietary code and networks. Boosted by NIST guidance [National Institute of Standards and Technology] and actions outlined in President Biden’s executive order issued in May 2021, federal agencies are already beginning to address software supply chain security. While these guidelines are critical to success, agencies must rise to the challenge of proactively implementing new technologies and securing their software supply chains, rather than waiting to act.
Although legacy systems are expensive and vulnerable to malicious cyberattacks, it is critical that US Department of Defense (DoD) government agencies effectively and proactively bridge the gap between legacy and modern technology frameworks. A harsh and reactionary pivot from legacy systems to modern systems can increase security risks and expose vulnerabilities.
As part of this transition, agencies should consider moving from pre-built, DIY development environments to more mature options. An open-source DevOps [the term for a set of practices that combines software development (Dev) and IT operations (Ops)] A platform that enables continuous security analysis throughout the software development lifecycle (SDLC) can be a valuable alternative that streamlines transformation, reduces the number of handovers, and effectively connects to older and newer systems , making it more cost effective and secure.
Rather than waiting for the latest guidance, public sector CIOs should seek solutions to implement software supply chain security to proactively defend their agencies. Such advancements will allow IT and development teams within agencies to continue to refine and adjust their approach to meet best practices.
Laying the foundations for a sustainable transition
During a process of modernization and the implementation of new security measures, public sector organizations must adapt to unique constraints and specifications, unlike those encountered by commercial companies. Public sector organizations need to move faster, meet compliance requirements and demonstrate to auditors that they are meeting quotas or contracts.
The modernization enterprise is more complicated, ambitious, and sometimes even painful, as public sector agencies have heightened security, compliance, and legal regulatory requirements, as well as acquisition laws and policies.
Developing new processes, technologies and approaches can be particularly challenging within the time, money and resource constraints of the public sector. Teams are often pressured to extend and enable functionality across the entire user functional ecosystem, managing legal, regulatory, and compliance controls for authorization while accelerating software deployment.
To ensure that security is integrated throughout the software supply chain, people, processes and technologies must work together to develop secure code that has been evaluated by numerous security officers, create open and transparent processes and continuous code testing.
With a DevOps platform, agencies can effectively protect software supply chains with end-to-end security that helps protect multiple fronts, including protecting internal code and external sources, while automatically enabling ongoing software compliance requirements.
For example, agencies like the Navy that work with legacy shipboard systems still need the ability to update operating capabilities without straining existing legacy systems and transitioning smoothly between different software releases.
Avoid vendor lock-in
The main concern faced by government agencies when implementing a single platform is called vendor lock-in, which is when organizations are unable to switch from a single vendor or to introduce an additional solution to avoid a single point of failure. Most agencies work hard to prevent vendor blocking, as it can create security risks for organizations. When looking for a DevOps solution, agencies should ensure that the platform allows them to integrate specific tools best suited to their needs, thus eliminating any vendor lock-in and allowing organizations to use the tools that meet their needs for specific functions.
To begin the modernization process, agencies must first assess their place on the DevOps maturity spectrum and understand the elements needed to accelerate the deployment of critical capabilities to the field. Once the agency has an agreed baseline, it can begin to determine the best strategy moving forward, starting with clearly defined goals and a performance measurement process.
A DevOps platform facilitates centralized, real-time communication and collaboration, which breaks down silos and eliminates sequential handoffs between development, operations, and security teams to deliver better and faster application delivery. Some crucial features for a DevOps platform include performance measurement, continuous integration/continuous delivery (CI/CD) pipeline posture, and built-in security. By implementing security scanners in the development process, agencies can analyze each line of code as it is committed, allowing developers to identify and fix vulnerabilities before they are pushed. . This process enhances the left shift methodology – addressing security continuously so that all products are created secure by design.
Implementing a software factory model
A complete DevSecOps platform, delivered as a single application, can serve as an integrated, plug-and-play, modern software development factory. It’s the most efficient and manageable path to quickly building, testing, and delivering apps without having to manage dozens of separate tools and custom integrations. An effective software factory has an interface, a user model, and a data model for the entire DevSecOps lifecycle.
An integrated software factory can also provide a single source of truth for centralized, asynchronous collaboration, which can help teams meet compliance requirements. The factory’s end-to-end view of code quality allows for better quality, more secure code, and faster delivery, as well as fewer development delays and more point releases.
A software factory (Figure 1) for the public sector must meet the following requirements:
- Collaboration: enable sharing and coordination across the entire software development team; facilitate documented and transparent peer reviews and approvals for code changes. Provide feedback and insights on applications in production, allowing developers to detect issues and improve the application in real time.
- Automation: Automate the steps needed to move the application from development to deployment and delivery, as well as the CI development tasks performed for each code change, with automated testing and security analysis built into the development process.
- Documentation: Document and track each application’s code and libraries through testing, validation, and deployment.
- Testing: Enable delivery teams to capture, discuss, prioritize, and define new requirements and use cases. Leverage containers, containerization, and the cloud, and support on-demand dynamic test environments for developer and team testing.
[Figure 1 | The software factory streamlines software development and delivery while incorporating security and compliance throughout.]
Software factory in a military environment
Using a few disparate tools or attempting to connect outdated technology to emerging tools can make it particularly difficult to achieve mission objectives in military environments. This approach can slow deployment times, create siled teams, and create technical barriers to communication and collaboration. In addition, projects developed without a secure platform from the start can miss cybersecurity vulnerabilities, which means that developers and security analysts must then spend more time fixing and recovering data, which increases the risks. project costs.
Since switching to GitLab’s unique DevOps platform, a military agency has seen increased cost savings results and saved 100 years of programming time. Reducing and integrating the plethora of tools in its toolchain into a single platform with built-in security and compliance enabled the agency to reduce its software release time by three to eight months standard to one week only.
Envision the future
Mission speed is a key objective for public sector agencies, but may seem at odds with the strict security and compliance measures in place. Digital modernization isn’t as simple as using a whole new set of tools overnight; it’s a process that evolves with the many bumps in the road of the continuous evolution of technology. Moving to a digital future requires careful management of legacy systems and emerging technologies.
A single DevOps platform is an effective tool for bridging the gap between today’s technology and tomorrow’s advancements, while remaining secure. Perhaps the most fundamental step for leaders is to ensure that cultural mindsets and processes evolve to align with new technologies. Executing and documenting process changes, communicating those changes to team members, and creating an environment that encourages staff support are essential. Technology restructuring must always be accompanied by cultural transformation, lest agencies experience wasted investment, malfunctions, and long-term adoption failures.
Bob Stevens – a former US Airman – is the current Vice President of Public Sector at GitLab. With over 25 years of industry experience, Bob Stevens leads the public sector team in helping agencies fundamentally change the way their development, security, and operations teams collaborate.
Federal GitLab https://about.gitlab.com/solutions/public-sector/