In this episode, we are joined by Nicolas Chaillan, Chief Software Officer for the US Air Force who helps us answer the question: What is DevSecOps?
Over the last couple of years, Nick and his team have been leading some exciting work helping scale DevSecOps within the complex world of the US Department of Defence. Here, he shares some of his key insights and observations and suggests why DevSecOps will be critical for enterprises going forward.
What is DevOps & DevSecOps?
There are lots of definitions and interpretations of DevOps.
For us, DevOps represents moving away from linear, waterfall, ITIL approaches. It involves meshing development teams and platform operation teams – ensuring that the team building the stack is operating the stack. It involves introducing automation to enable continuous integration and continuous delivery. Its foundation is built around fail-fast, learn-fast cycles.
DevSecOps is the ‘baking-in’ of cyber within DevOps practices – ensuring your teams are upskilled, cyber aware, and understand how to implement policy as code. This involves developing using a ‘moving-target’ defense that makes it difficult for bad-actors to maintain a foothold in your system. It also means using zero-trust and behavior detection to reduce your attack surface.
In DevOps: Tech is harder than culture
Nick took aim at the commonly held view that cultural adoption is harder than technology adoption.
“People who say that don’t understand tech. If they knew how complex Kubernetes and service meshes were on the tech side. How quickly tech changes – all of the time. It makes you realize technology is what makes culture adoption hard. It’s a complete reinvention of individuals, what they know and what their roles are. Its a constant continuous evolution of skill and what you know. A few years ago we didn’t really use things like Kubernetes or Istio. Now it is the foundation of what we do.”
He also observes that secure organizations in the future will be valued by two things:
- The maturity level of their DevSecOps stack. That is going to determine how they are going to react to changes and events and stay relevant next to the competition.
- How good they are at continuous learning and enabling their people to continuously upskill.
How do you scale DevSecOps?
Over the past two years, Nick and his team have been working hard to scale DevSecOps and enable teams within the very large, complex, sensitive organization that is the Department of Defense. Which raises the question: How on earth do you approach this when the work you do has a direct impact on national security?
Nick’s approach was to help set up the Cloud One and Platform One centralized teams. Cloud One covers cloud infrastructure at various classification levels. Platform One oversees the DevSecOps software factory managed services (with baked-in security for DoD programs).
The goal of these teams was to enable software best practices in a well understood, secure, and controlled environment.
Doing this they managed to save 100 years worth of planning time in just one year.
Read more about this initiative (with info about training and software factories) here.
Do I need DevSecOps?
The team return to the discussion regarding the goals of DevOps toward the end of the show and revisit the topic of ‘enabling development’ and ‘fail-fast, learn-fast’. They agree that DevSecOps is more like ‘fail-fast, don’t fail again’, and DevSecOps is the only way businesses can grow and innovate rapidly whilst remaining secure at the same time.
Nicolas suggests that in the future there will be no success for organizations without a mature DevSec Ops capability. As the more you move fast, the more you need bake-in security. It is the one way to ensure ROI on the right cyber layers that make a difference at scale.
Nicolas concludes by observing how in government organizations – in 2020 – it is borderline criminal to use taxpayer’s money to build software without DevSecOps.
“We don’t have the luxury of making mistakes. Fail-fast and don’t fail again for the same reason”