Six key things to know about DevSecOps

DevSecOps slide
Graphic courtesy of ORock Technologies
Defensive Cyber
Erika Christ, Strategic Communication Directorate
October 26, 2020

The concept of DevSecOps has taken on added impetus now that Katie Arrington, the DOD’s chief information security officer at the office of assistant secretary of defense for acquisition, said the department should step up its efforts to change workforce culture around it.

PEO EIS already has made strides in this area with Applied Cyber Technologies’ (ACT) recent integration of DevSecOps methodologies in its developmental DRUID (Defense Cyber Operations Resource for Updates, Innovation and Development) technology. To help better educate the EIS workforce about DevSecOps, ACT invited Donny Davis of ORock Technologies to discuss the concept and its application to DRUID at an October 22 lunch and learn presentation.

Following are six key things to know about DevSecOps based on that session:

  1. It isn’t a technology. It’s a model, process or way of doing things and finding technologies that do the things you want.

  2. It’s first and foremost about people. The first step is to get everybody on board and effect a culture shift, so everyone understands the desired outcomes and how to get them. Competing priorities need to be worked out during this stage. “This is not a spectator sport; you have to be actively engaged,” says Davis.

  3. It’s important to address the “5W1H” questions. DevSecOps is a shift in process designed by people, so you need to agree on what output is desired, what teams should be involved, who the customer is, how they will consume the process, etc.

  4. Technology is the last thing for discussion and procurement. “People create a process; process drives technology; technology drives the pipeline,” says Davis.

  5. Metrics are an important output to consider. Among other things, it’s helpful to find out how long it takes to do a build and how long to iterate until you have useful results.

  6. Hybrid solutions may be best for DOD organizations. If you have a web app that’s consumed on a DOD network, it may be better to have a combined cloud/on-premise solution instead of going all-in with cloud. “Hybrid allows you to provide highest levels of access and to spread resources to people who otherwise couldn’t access them,” says Davis.

For more information on ACT’s experience with DevSecOps, contact Fianna Litvok at Fianna.R.Litvok.ctr@mail.mil.

Tags
DevSecOps
Defensive Cyber
ACT

Related News

  3. Linda Jones thrives on change, mentoring and hybrid Agile

    Defensive Cyber
    January 30, 2023
    In her six-and-a-half years with PEO EIS, Linda Jones has made the move from contractor to civilian, served in three different portfolios (Army Data and Analytics Platforms, Integrated Enterprise Network and Defensive Cyber Operations) and become known for her mentoring skills and expertise in Scrum, which is an Agile framework that helps teams deliver value collaboratively in an incremental way.
More News

Work with Us

Help support important missions. Explore ways your company can work with PEO EIS.

Find Opportunities