Engineers held onto a project and handed assets over to security only when the development portion of the project was complete. The traditional or waterfall engineering pipeline siloed developers and security teams.
DevSecOps professes the need to instrument security controls in every phase, including architecture, application code, production environments, and beyond. The inclusion of “Sec” in the terminology signifies the importance of security and why risk mitigation needs to be addressed from inception and throughout the software development life cycle (SDLC). The key to expediting the process is the adoption and use of a robust DevSecOps process.īecause the terms DevOps (a portmanteau of software development and information technology operations) and DevSecOps (which is DevOps plus security engineering) are terms that arose organically in industry and weren’t coined by a centralized authority, no readily agreed-upon definition exists for what these terms mean.ĭevOps got its start in the technology industry as companies, striving to meet consumer demand, needed to release new features and fixes continuously and reliably at a high velocity. Agencies are always looking for a more robust process to expedite the process for achieving compliance and securing an ATO without compromising any security requirements. One of the biggest hindrances to federal IT modernization is not actually capturing the funding or developing the technology - it’s obtaining an ATO. ATOs are a requirement of the Federal Information Security Management Act (FISMA) in which Chief Information Officers (CIOs) must accept the security risks of each system in the agency’s network. An Assessment and Accreditation (A&A) process routinely takes months or even a year before an ATO can be granted. Unfortunately, this scenario happens more often than you may think, and many times agencies can’t speed critical services to market fast enough. Then, imagine that new, modern system sitting on the sidelines waiting for another 10 months to be introduced into the agency’s environment because the Authority to Operate (ATO) certification has not been granted. Imagine if your federal agency spent tens of millions of dollars and 2 years modernizing a complex, mission-critical system.
0 kommentar(er)
