DEVSECOPS: DOD ENTERPRISE DEVSECOPS INITIATIVE: AIR FORCE CHIEF SOFTWARE OFFICER NICOLAS CHAILLAN: “FAIL FAST, BUT DON’T FAIL TWICE FOR THE SAME THING.” [#Agile #DevSecOps #FailFast]
The Pentagon is pushing hard toward a new software development model that finds the defects out early through constant testing and continuous improvement, avoiding traditional IT disasters where flaws only become obvious too late.
According to Air Force Chief Software Officer Nicolas Chaillan, this idea is called, “fail fast, but don’t fail twice for the same thing.”
Chaillan is co-director of an organization called the DoD Enterprise DevSecOps Initiative which translates into simple English as a campaign to spread the new approach — DevSecOps because it combines software development, cyber security, and software operations side-by-side — across the entire Department of Defense (DoD Enterprise).
SO WHAT IS DEVSECOPS?
We have to start by contrasting DevSecOps to traditional software development process known as “Waterfall,” in which work flows in a clear linear sequence from one stage to the next, with no way to flow back upstream to an earlier stage. The waterfall approach still works if we have a very clear idea of what the final product needs to be and that idea will not change over time.
But modern threats moves too fast. As a result, according to Chaillan, development takes so long that mission needs change before the software is delivered. Coding flaws often are not found until the end of the development cycle–sometimes a year of more later–resulting in costly fixes. And cybersecurity is treated as a separate step instead of being infused throughout all stages of the development, leading to software vulnerabilities and ineffective solutions at the end.
By contrast, Development Operations or DevOps, is what is known as an “Agile” methodology because it embraces an iterative process: develop a little, get user feedback, field a little more, and repeat. Rather than have developers labor in isolation to develop something that looks complete, only for the users to finally see it and find flaws, DevSecOps races to produce a “Minimally Viable Product (MVP)” early on that the user can actually try out and give feedback on. The developers can then take that feedback, make improvements, and roll out the next version — improved but still imperfect — for another round of user feedback.
When you add cybersecurity experts to this process, working alongside both the developers and the users from the beginning to ensure the code is not easily hacked, DevOps becomes DevSecOps.
Fail Fast, Not Twice: DoD’s Push For Agile Software Development:
A Pentagon task force is reviewing over a hundred tools and services to speed up software acquisition.