DevSecOps in government: Enabling secure productivity during a pandemic

In today’s challenging environment, federal, state, and local leaders have rapidly adapted to continue serving their stakeholders while taking on new tasks with an unanticipated volume of requests, all while managing the work virtually. Their actions show remarkable resilience on a short timeline. However, these efforts are not sustainable without having the right tools in place to allow collaboration on a secure and reliable platform.

Historically, IT security policies have been responsible for ensuring that data, intellectual property, personally identifiable information, and more, remain secure. Remote employees change the paradigm, as policies have been altered — likely permanently — to allow continuity of government for all citizens. From the Department of Defense to local Law Enforcement agencies, COVID-19 is a catalyst for governments to rethink what is vital vs. preferred and how they can leverage this “forcing function” to rethink their CONOPS strategy, with security as a mandatory requirement.

As leadership reconsiders the need to work in an office with high overhead costs and the risk of exposing essential and non-essential employees to COVID-19, the Information Technology office will play a significant role.

A key question for leadership to consider: In a modern workplace under pandemic constraints, how can developers collaborate and code while maintaining security?

As security continues to be a core focus for all software tools, it is imperative that security procedures not negatively impact the quality of the code nor the ability to deliver products quickly.

Many software teams, both in government and the private sector, are adopting DevSecOps methodologies in an attempt to innovate rapidly while expanding core security practices. DevSecOps promises speed, agility, and security all at once by integrating security earlier into the development pipeline. Gartner analysts Neil MacDonald and Dale Gardner predict:

“By 2021 DevSecOps practices will be embedded in 60% of rapid development teams, as opposed to 20% in 2019.”

“By 2023, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, which is a significant increase from fewer than 30% in 2019.”

(Gartner, 12 Things to Get Right for Successful DevSecOps, 19 December 2019.)

The National Institute of Standards and Technology (NIST) recently released the Secure Software Development Framework with an emphasis on the inclusion of security into the development process. The mindset switch will require organizational and cultural shifts to break down isolation barriers caused by old approaches to development and operations. This is critical in adopting new technology, providing transparency into every layer of the organization’s applications, including machine learning, artificial intelligence, and data science.

How have your Engineers migrated from the unexpected business disruption of the transition from the work environment to the home environment? 

With DevSecOps best practices, infrastructure templates are getting source-controlled, container images and source code are being automatically scanned for vulnerabilities, and services are being scaled elastically in real-time. 

However, in too many cases, the development environment is still running on the user’s isolated endpoint, limiting the available resources for tasks and adding more security overhead by having to protect the intellectual property on each user’s isolated endpoint. This traditional approach is fraught with problems that can derail an effective pipeline. The process of installing programming languages, testing frameworks, development utilities, and other tooling is time-consuming, prone to errors, and dependent on the underlying machine’s operating system. The time spent setting up the environment can slow a project’s timeline and cause development environment drift amongst teams.

Coder Enterprise acts as the first foundational step in an organization’s DevSecOps pipeline by empowering your development environment remotely, working with your current tools and framework, and enabling consistent and secure development environments. 

Coder Enterprise leverages the power of the cloud to secure and automate the creation of dev environments. Developers can launch fully-configured dev environments from approved images in seconds, eliminating hours of setup time and ensuring consistency across the team. They can then access these environments securely through a browser from any remote location. 

While developers access their environments via a browser, all development actions are performed on your internal infrastructure. All source code and data remain secured on the cluster or in authorized repositories. Nothing is sitting on a workstation or laptop, just waiting to get left in an Uber.

Coder Enterprise runs on Kubernetes and is platform and infrastructure agnostic. Run it in the cloud using AWS, Azure, Google Cloud, or other platforms. Or run it on your own private cloud infrastructure. Coder Enterprise even works seamlessly within the most restrictive air-gapped environments, providing productivity in zero-trust environments for developers and data analysts.

Even though the dev environment resides in the cloud, developers still have the freedom to use the IDEs and tools they already know and love, including VSCode, Jupyter Notebook, IntelliJ, Eclipse, PyCharm and many more. 

This is a challenging time for government engineers, CIOs, and CISOs as they support their agency, bureau, command, or department. Coder’s Government Team is here to help your organization fulfill its mission, supporting the agencies, constituents, and citizens of the United States.