
Digital Employees
For organizations, the key to success in the digital age ...
When agencies successfully embrace digital transformation, they become more customer-centric, agile ...
When agencies successfully embrace digital transformation, they become more customer-centric, agile ...
When agencies successfully embrace digital transformation, they become more customer-centric, agile ...
In this video, CGI professionals discuss how CGI has supported ...
Over the past few years, federal agencies have become more and more comfortable with Agile development methodology and related DevOps practices. Adopting these ideas means that the developers improve software incrementally and continuously, rather than offering major updates only occasionally.
The term “DevOps” derives from software development and IT operations. In practice, it means continuous integration, automated testing, continuous delivery and continuous deployment.
DevOps alone, however, does not address cybersecurity. Therefore, those incremental improvements may or may not enhance the overall security of a solution. It depends, in part, on the organization’s policies and practices, and in part, on the awareness of individual developers to ensure that code changes do not introduce vulnerabilities.
In federal IT, security validation is where an IT organization is likely to halt progress on Agile development. Due to a number of factors, including a lack of security personnel proficient in Agile and DevOps and the overall dearth of cybersecurity professionals available to hire, validating security takes more time.
The potential solution for this bottleneck is SecDevOps. While it is often called DevSecOps, we and our CGI colleagues prefer to put security first in the order to emphasize its importance. Either way, the term emphasizes that an organization treats security with as much importance as development and operations.
An Agile development IT operation using SecDevOps as its guiding principle, puts these three practices at the forefront:
SecDevOps requires the people involved to take a more holistic view of a project than they might be used to. It is crucial that everyone is equally concerned with the speed of development and security.
Cultural changes are often the hardest to make, but Agile developers are already accustomed to flexibility and rapidly-changing conditions. As agency IT shops enact the process and policy changes needed to support SecDevOps, leaders should communicate transparently to the development teams and the security professionals to ensure they understand how they should respond.
Our colleague Bryan Hall recommends five key steps for an organization to move into a SecDevOps mindset with minimal difficulty. Read his post for more detail, but in summary, they are:
It is true that shifting to a SecDevOps paradigm, even if the agency is already using DevOps, is a significant change and it can be disorienting. Bringing security into such a central and early role can cause some difficulty along the way, but in our experience, the reward is worth the pain.
For more detail and insight on this topic, download the CGI Federal white paper, “Finding the On-Ramp to the SecDevOps Highway.”
Sangram Deshmukh leads DevSecOps initiatives as part of CGI Federal’s International Diplomacy & Commerce (IDAC) business unit.
Dave Fladung partners with clients to deliver digital transformation through technology adoption, including cloud-based services and DevSecOps
November 4, 2020 IT ecosystems are becoming ever more complex, and technological approaches are diversifying to match them. We now live in an era in which solving one need can spawn half a ...
November 3, 2020 Government isn't a business. However, there are some commercial best practices that can make it easier for agencies to meet their goals.
In 2020, we conducted in-person interviews with 198 client executives across 16 countries, who indicate a continued focus on meeting citizen expectations. Interviews were conducted before and after the pandemic ...
CGI Federal's Cyber Threat Analysis Center (CTAC) services are provided by qualified analysts who actively ...
Add new comment
Blog moderation guidelines and term of use