Putting the Sec in DevSecOps

Written by: Brian Dawson
5 min read

To learn more about how the U.S. military is setting the standard for DevSecOps, listen to Episode 72 of DevOps Radio.

When the safety of your country depends on software, you better make sure it’s rock-solid. That’s why the U.S. military is setting the standard for DevSecOps, a software development methodology that builds security into every line of code, whether it ends up in a private cloud or in the cockpit of an F-16 fighter jet. That program is run by Nicolas Chaillan, chief software officer of the United States Air Force, and who also serves as the co-lead for the DoD enterprise DevSecOps initiative for the entire U.S Department of Defense. 

The French-born-and-raised Chaillan knows his stuff. At just 15 years of age, Chaillan launched his first software company and was part of the team that created PHP, the popular web programming language. In the two decades years since, Chaillan built and sold about a dozen tech companies before he was recruited by the Office of the Secretary of Defense to help bring software security and rapid prototyping innovation to the U.S. armed forces. 

“It’s been very exciting for me to help the DoD move faster,” says Chaillan. “My role is about empowering the warfighters to leverage software to become more efficient and more capable and getting the technology they need at the pace of relevance.”

Balancing speed and security

Rapid software development is an important goal of the U.S. military, but it never comes at the expense of security. That’s why Chaillan’s group has been pushing to embed security into every phase of the development lifecycle – a practice known as DevSecOps. “For us, it's very important that we bake in security across the entire development lifecycle,” he says. “It's really about continuous monitoring, particularly when it comes to behavioral detection and zero trust.” 

Zero trust is incorporated into the team’s development process all the way down to the container level using an open source service mesh called Istio, helping to enforce need-to-know and least privilege policies and reduce the attack surface. “We're really pushing the next-gen security stack,” says Chaillan. His vision is to offer DevSecOps methodologies as a centralized service to cybersecurity teams across DoD with the new “Party Bus” and “Big Bang” services provided by Platform One, a DoD-wide enterprise service DevSecOps team. 

It’s an ambitious undertaking. “People often don't realize the complexity of providing an enterprise-scale capability,” Chaillan says. As you might guess, America’s sprawling military is replete with operational silos that can complicate – and slow – the production of everything from software to weapons systems, he says. “The more silos, the more steps and gates you have, the more years of wasted time you add across DoD programs.”

Ironically, going faster actually helps organizations become more secure. “It’s okay to take a risk if you can learn fast and correct things very quickly,” he says. “My motto is: Fail fast, but don't fail twice for the same reason.”

Operating continuously

By streamlining development operations in a secure manner, DoD aims to achieve what it calls “continuous authority to operate,” an environment in which teams can deploy software multiple times a day, or as often as needed. To get there, Chaillan explains, the organization has created a software factory made up of intelligently defined pipelines and gates, allowing the resulting products to be automatically accredited and approved for use across DoD. To make the factory work, however, it’s essential for teams to understand their security responsibilities and, most of all, never bypass a gate. 

Once the factory is set up, properly trained teams can customize it as needed, picking their favorite programming languages and tools to build and deploy the software. Of course, you might wonder why, for the sake of simplicity, the military wouldn’t just dictate a standard set of DevSecOps tools agency wide. “That's really when people fail,” Chaillan says. “We wanted to provide enterprise support and scale for over 170+ tools with 16 programming languages and 23 databases, so we wanted to make sure we were bringing options to the teams and not having a one-size-fits-all stack.” 

Instead, Chaillan has been pushing for what he calls a “single abstraction layer” that enables the DoD to deploy software in any environment, whether it's a classic private cloud, a public cloud, or an edge use case, using Cloud Native Computing Foundation (CNCF) Kubernetes environments. “That Kubernetes abstraction layer gives you the flexibility to move your software to different environments. We’re not pushing one solution over another. We always want teams to be able to choose the tools they need and the processes they need to work more efficiently.” 

Chaillan’s DevSecOps services are embodied in two teams: Cloud One and Platform One. Cloud One gives DoD’s engineering teams single-sign-on access to the government’s ATO-accredited Azure and Amazon clouds. “You can consume both services, so you don’t get locked into one cloud or another,” Chaillan says. Platform One is a DevSecOps environment that can be deployed anywhere, whether in the cloud, including Cloud One, or on-premises, and for almost any use case or weapons program. It’s also a great option for government contractors seeking to work in a secure fashion with DoD on classified-level projects. 

Ultimately, the services Chaillan’s team provides will help the military innovate faster. Most companies innovate through software, the DoD’s software chief says. “There's very few innovations that are pure hardware defined. You will see way more continuous innovation on the software side, and that’s the difference between having a successful organization or losing against your competition.” The same holds true at the DoD, he says, though with a crucial difference: Success doesn’t just mean boosting the bottom line. It means protecting the lives and freedoms of the people.

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.