The Defense Department's Journey with DevSecOps

Cloud Native Computing Foundation (CNCF) has released a new case study of the DoD's approach to DevSecOps that looks at how they used Kubernetes clusters and other open-source technologies to speed up the releases. While most of the information was already available from the DoD and in their presentations, the CNCF has summarized the venture in one place.

The Department of Defense has created their Enterprise DevSecOps reference design which defines the gates on the DevSecOps pipeline so that warfighters can create, deploy and operate software applications in a secure, flexible and interoperable manner. Releases, which once took as long as three to eight months, now can be achieved in one week.

DevSecOps is a set of automated tools, services and standards that enable programs to develop, secure, deploy and operate applications in a secure, flexible and interoperable fashion. The DoD effort was spearheaded by Nicolas M. Chaillan, chief software officer of the U.S. Air Force and Peter Ranks, deputy chief information Officer for Information Enterprise (DCIO IE), DoD CIO.

Here's the DoD Enterprise DevSecOps Technology Stack:

👁 Image

The foundational layer uses Kubernetes for orchestration. It provides resiliency, self-healing and orchestration capabilities. For different classified environments, Envoy and Istio provided a control and data plane so that there was a clear distinction between them.

To demonstrate what can be done, Chaillan challenged the Air Force's SoniKube team to get Kubernetes running on an F-16 jet. In 45 days, the team got three simultaneous Kubernetes clusters running on the jet. "We got the cluster on Istio running and then we launched five or six microservices", Chaillan told the Cloud Native Computing Foundation. "A lot of the jet runs in older programming languages, and so being able to run Go, Python, and Java was pretty exciting".

Two teams were created to facilitate enterprise-level offerings. Cloud One team provides cloud infrastructure with baked-in security for DoD programs. Platform One team supports the DevSecOps Platform and CI/CD pipeline. "As long as teams are compliant with that reference design, they can get a DoD-wide continuous ATO (authority to operate)", said Chaillan.

This has resulted in a great time saving in releases. The releases, which took three to eight months, are now achieved in one week. Plus, with Platform One team, there is a continuous ATO (c-ATO), enabling teams to push software multiple times during a day.

They are also having training and self-learning capabilities to bring state of art DevSecOps curriculum. The goal is to train 100,000 people within a year.

In the recent past, most military software teams were building software using waterfall processes. For big weapon systems, software delivery would take three to ten years. With consideration of DevOps, this timeline would further extend. "…(there was) no minimum viable product, no incremental delivery, and no feedback loop from end users", said Chaillan. "Cybersecurity was mostly an afterthought".

In addition to this, DoD doesn't always control software development. They purchase software that must be integrated with all their existing systems later. So, the top priority for the department was to make sure they are not getting locked into cloud providers or platform providers.

Related Topics:

• DevOps
• Kubernetes
• DevSecOps

We protect your privacy.