



Ransomware attacks and critical infrastructure security have dominated the news in recent weeks, but state government technology projects can put security behind.

In one clear example of Colorado, two years of development to modernize the system and a single security scan of the code were reported by the Office of Information Technology to the National Association of Chief Information Officers. According to the submitted report.

When a pre-publication security scan was performed, more than 10,000 vulnerabilities were detected, requiring mitigation and delaying multiple releases, the document states. This customer impact made OIT less satisfied and frustrated as development / deployment teams and supply vendors were unable to move on to other priorities. The results emphasize the need to modernize solutions and deliveries at all touchpoints, improve efficiency, reduce overhead, and quickly value to achieve OIT’s goal of customer delight beyond expectations. He emphasized the need to support the offer.

Colorado and other states are beginning to enhance the security of their applications and systems by adopting a methodology called DevSecOps that is closely related to a similar approach, DevOps. At DevSecOps, security is considered from the beginning when developing agency software and services, and security teams work with software developers and operations teams.

What are DevSecOps?

DevSecOps integrates security into DevOps. DevOps is an operating model in which operations and development engineers work together throughout the software or service lifecycle, from design to development and operational support. The DevSecOps layer of security experts works with operations and development teams to ensure security is considered from the beginning.

DevSecOps as a practice started in the private sector, but it’s just getting started in the state government’s IT department.

In a recent podcast, Kyle Jepson, Senior Field Solutions Architect at DevOps with CDW, states that high-performance organizations have a core belief in incorporating security early into the software and service planning process. Research shows that high-performance organizations must consider security early in the software development life cycle, he said.

Like the National Institute of Standards and Technologynotes, DevOps goals connect software development and operations, speed development cycles, make organizations agile, and accelerate the pace of innovation while leveraging cloud-native technology and practices. To be able to maintain it.

DevSecOps integrates security practices and automatically generates security and compliance deliverables throughout the process to ensure that security is addressed in all aspects of DevOps in the NIST state.

Why DevSecOps practices are important to government

If software development can be seen on the left-to-right timeline, the planning phase is on the left side of the timeline, the production phase is on the right side, and DevSecOps shifts security to the left or earlier planning process. I am aiming for. This allows you to detect security issues and flaws early.

You have to go into production, wait until your product is ready to go, then go to security and suddenly start over with the entire process if you find a problem. Jepson says it can address these security risks.

So, if you can design security in the first planning phase, and if you can incorporate control, visibility, and tools into each stage of your software development life cycle, you can ultimately bring higher quality products to production faster. “I will,” he added. ..

As NIST points out, DevSecOps has many advantages. They include:

Reduce vulnerabilities, malicious code, and other security issues in released software without interfering with software production and release Potential impact of vulnerabilities exploited throughout the application life cycle Addresses the root cause of vulnerabilities to prevent ongoing security issues (this is for strengthening testing tools and methodologies within the toolchain, for code development and the operation of hosting platforms. Actions such as improving practices) Reduce friction between development, operations, and security teams and simultaneously support the speed of your organization’s mission while using the latest technology

According to NASCIO’s submission, Colorado will use Microsoft’s Azure DevOps tools to consolidate all OIT code into one place in the Azure DevOps toolset, steadily enhancing automation and security measures across the OIT team. Enhance service delivery and security Colorado aims to improve efficiency, security, and quality throughout the technology and service delivery lifecycle by shifting security and quality to the left. It is automatically addressed early in the solution delivery process and is more efficient with automation and cultural change.

The end result, according to Colorado, is that the team has more opportunities to analyze, improve, and automate many processes, as well as improve the security of their applications. In addition, cycle times, lead times, deployment speeds, deployment frequencies, speeds, and work burndowns are now automatically generated, freeing teams from tasks that are normally considered fatigue, repetitive, or manual work. ..

By automating the process early and frequently, you can not only ensure quality and security through reducing manual errors and incorporating regular scans, but also focus on innovative solutions to deliver value to your customers. Free up resources.

Other states, such as North Carolina, have also adopted DevSecOps. Mentioned some of the features related to DevSecOps. There are some pockets for our team that enables DevOps. An important aspect is automated testing, Glenn Poplawski, North Carolina’s Deputy CIO and Chief Solution Officer, told StateScoop in 2019.

North Carolina has introduced automated testing since around 2007, and Poplawski says the state is moving towards enhancing automated testing with another toolset.

For security testing, I just bought one of the Micro Focussecurity testing tools. We basically planned to train the agency and incorporate it into the development cycle to help achieve DevSecOps.

DevOps and DevSecOps: What are the main differences?

DevOps and DevSecOps are both closely related in the sense that they focus on the continuous integration / continuous delivery (CI / CD) pipeline. The model follows the main stages of development, integration, quality assurance, user acceptance testing, staging, pre-production, and finally production.

Both DevOps and DevSecOps are highly automated processes that rely on a set of platforms called toolchains to help you manage your workflow. DevSecOps adds security components to ensure security controls are enforced throughout the development lifecycle and security vulnerabilities are detected from the beginning.

In a standard software development process, the team starts by designing software requirements and goes through various steps. CDW cybersecurity practice with Joey Barrett, CTO of CDW company IGNW’s West Coast region, in a CDW blog post. This process continues through code development, executable building and testing, and production release, and eventually the code is adopted as part of continuous operation. The DevSecOps model aims to add security feedback loops and checkpoints to each of these activities, rather than implementing security as a separate, late-stage review.

Organizations that consult with security teams during the design phase of new software development projects can anticipate the threats that code faces and design defenses against those threats as a core software requirement. The solution, Barrett and Ridgeley, wrote.

The DevSecOps team adds that forced automated security testing can be incorporated directly into the development pipeline.

When a developer submits new code for review, it triggers an automated security testing process that provides immediate feedback on potential flaws and necessary fixes. Not only does this tight feedback loop improve potential risks in your code, but it also allows developers to learn from mistakes and build better code in the future.

DIVE DEEPER: How quickly can you get the latest government applications with cloud tools?

Red team vs blue team security

In addition to adopting DevSecOps, another approach that agencies can take to strengthen cybersecurity defenses is to conduct red and blue team cybersecurity exercises.

As security firm Crowd Strikenotes wrote in a blog post, red team exercises allow the red team to act as an adversary and use sophisticated attack techniques to identify potential weaknesses within an organization’s defenses. And try to abuse it.

Red teams are often made up of experienced security professionals or independent ethical hackers, with a focus on penetration testing by mimicking real-world attack methods and methods.

According to CrowdStrike, red teams typically gain initial access by stealing user credentials and social engineering techniques. When the red team breaks into the network, it elevates authority, moves laterally between systems, travels as deep as possible in the network, and steals data while avoiding detection.

The goal of the blue team is to focus on cyber security defenses. CrowdStrike says the group typically consists of incident response consultants who provide guidance to IT security teams on where to improve to thwart advanced types of cyberattacks and threats. .. The IT security team is responsible for maintaining the internal network against various types of risks. While many organizations consider prevention to be the gold standard for security, detection and remediation are just as important for overall defense.

