Securing the software supply chain by modernizing legacy systemsStory
September 08, 2022
Now more than ever, federal agencies within the U.S. Department of Defense (DoD) must develop software capabilities that are compatible with legacy technology while maintaining and meeting strict security needs that protect proprietary code and networks. Spurred by guidance from NIST [National Institute of Standards and Technology] and actions outlined in President Biden’s Executive Order issued in May 2021, federal agencies are already starting to tackle software supply-chain security. While these guidelines are critical to success, agencies must rise to the challenge of proactively implementing new technologies and securing their software supply chains, instead of waiting to act.
Although legacy systems are costly and vulnerable to malicious cyberattacks, it’s critical that government agencies within the U.S. Department of Defense (DoD) effectively and proactively bridge the gap between legacy and modern technological frameworks. A hard, reactionary pivot from legacy to modern systems can increase security risks and expose vulnerabilities.
As part of this transition, agencies should consider moving from prefab and DIY development environments to more mature options. An open-source DevOps [the term for a set of practices that combines software development (Dev) and IT operations (Ops)] platform that enables continuous security scanning throughout the software development life cycle (SDLC) can be a valuable alternative that streamlines transformation, reduces the number of handoffs, and connects efficiently to older and newer systems alike, making it more cost-effective and secure.
Rather than wait for final guidance, CIOs within the public sector need to work toward solutions for implementing software supply-chain security to proactively defend their agencies. Such progress will enable IT and development teams within agencies to continue refining and adjusting their approach to meet best practices.
Laying the foundation for a sustainable transition
When undergoing a modernization process and implementing new security measures, organizations within the public sector must adjust for unique constraints and specifications unlike those experienced by commercial enterprises. Public sector organizations must go faster, meet compliance requirements, and demonstrate to auditors that they are delivering in accordance with any quotas or contracts.
The modernization undertaking is more complicated, ambitious, and sometimes even painful, as public-sector agencies have increased imperatives for security, compliance, and legal regulations, as well as acquisition laws and policies.
Pioneering new processes, technologies, and approaches can be especially challenging working within the time, money, and resource constraints of the public sector. Teams are often pressured to expand and enable capabilities out to the entire functional ecosystem of users, managing legal, regulatory, and compliance controls for authorization while expediting software deployment.
In order to ensure that security is woven in throughout the software supply chain, people, processes, and technologies need to work together to develop secure code that has been assessed by numerous security personnel, build open and transparent processes, and continuously test code.
With a DevOps platform, agencies can effectively protect software supply chains through end-to-end security that helps protect multiple fronts, including protection of internal code and external sources, while automatically enabling continuous software compliance requirements.
For example, agencies like the Navy that work with legacy shipboard systems still need the ability to update operating capabilities without straining existing legacy systems and smoothly transitioning between different software versions.
Avoiding vendor lock
The primary concern experienced by government agencies when implementing a singular platform is referred to as vendor lock, which is when organizations are unable to transition from a single vendor, or introduce an additional solution, to prevent a single point of failure. Most agencies work hard to prevent vendor lock as it can create security risks for organizations. When seeking out a DevOps solution, agencies should ensure that the platform enables them to integrate specific tools that better suit their needs, thus eliminating any vendor lock and enabling organizations to use the tools that meet their needs for specific functions.
To begin the modernization process, agencies must first assess their place on the DevOps maturity spectrum and understand the elements needed to speed up the deployment of mission-critical capabilities out into the field. Once the agency has an agreed-upon baseline, they can begin determining the best strategy for moving forward, starting with clearly defined goals and a process for measuring performance.
A DevOps platform facilitates real-time, centralized communication and collaboration, which breaks down silos and eliminates sequential handoffs across development, operations, and security teams to deliver better and faster application delivery. Some crucial capabilities for a DevOps platform include measuring performance, continuous integration/continuous delivery (CI/CD) pipeline posture, and built-in security. By implementing security scanners into the development process, agencies can scan every line of code as it is committed, thereby enabling developers to identify and remediate vulnerabilities before they are pushed. This process uplevels the shift-left methodology – addressing security continuously so that all products are created secure by design.
Implementing a software-factory model
A complete DevSecOps platform, delivered as a single application, can serve as an integrated, out-of-the-box, modern software-development factory. This is the most efficient and easy-to-manage path for quickly building, testing, and delivering applications without needing to manage dozens of separate tools and custom integrations. An effective software factory has one interface, one user model, and one data model for the entire DevSecOps life cycle.
An integrated software factory can also provide a single source of truth for centralized, asynchronous collaboration, which can help teams meet compliance requirements. The factory’s end-to-end view of code quality enables better quality, more secure code, and faster delivery as well as fewer development delays and more on-time releases.
A software factory (Figure 1) for the public sector must meet the following requirements:
- Collaboration: Enable sharing and coordination across the entire software development team; facilitate documented, transparent peer reviews and approvals for code changes. Deliver feedback and insights from applications in production, allowing developers to detect issues and improve the application in real-time.
- Automation: Automate the steps required to take the application from development to deployment and delivery, as well as the CI development tasks completed for every code change, with automated testing and security scanning incorporated into the development process.
- Documentation: Document and track code and libraries of each application through testing, validation, and deployment.
- Testing: Enable delivery teams to capture, discuss, prioritize, and define new requirements and use cases. Leverage containers, containerization, and the cloud, and support on-demand, dynamic test environments for testing by developers and teams.
[Figure 1 | The software factory streamlines software development and delivery while incorporating security and compliance throughout.]
Software factory in military environments
Using a few disparate tools, or attempting to connect outdated tech with emerging tools, can make it especially difficult to meet mission objectives in military environments. This approach can slow deployment timelines, create siloed teams, and generate technical obstacles to communication and collaboration. Additionally, projects developed without a secure platform from the start can miss cybersecurity vulnerabilities, meaning that developers and security analysts must then spend additional time repairing and recovering data, which adds to project costs.
Since switching to GitLab’s single DevOps Platform, one military agency found increased cost-saving results and saved 100 years of programming time. Reducing and integrating the plethora of tools in its toolchain into a single platform with built-in security and compliance enabled the agency to minimize its software release times from the standard three to eight months to just one week.
Envisioning the future
Speed-to-mission is a key objective for agencies across the public sector but can seem at odds with the strict security and compliance measures in place. Digital modernization is not as simple as employing a brand-new set of tools overnight; it is a process that evolves with the many bumps in the road of the continuous evolution of technology. The shift to a digital future requires careful handling of both legacy systems and emerging technologies.
A single DevOps platform is an effective tool to bridge the gap between today’s technology and tomorrow’s advancements, while still remaining secure. Perhaps the most fundamental step for leaders is to ensure that cultural mindsets and processes shift to align with new technologies. Executing and documenting process changes, communicating these changes to team members, and creating an environment that incentivizes support from personnel is critical. Technology restructuring must always be mirrored by a cultural transformation, lest agencies experience wasted investments, dysfunction, and failure of long-term adoption.
Bob Stevens – a former U.S. airman – is the current Area Vice President of Public Sector at GitLab. With more than 25 years of experience in the industry, Bob Stevens leads the Public Sector team by helping agencies fundamentally change the way their Development, Security, and Ops teams collaborate.
GitLab Federal https://about.gitlab.com/solutions/public-sector/