Developing Secure Software Starts with the First Line of Code

“How do we build better software quickly while integrating security from coding standards to architectural design patterns rather than leaving it as an afterthought?” muses John Meyer, Peraton’s Vice President of Strategy, Enterprise Architecture, and Compliance. The answer: DevSecOps.

DevSecOps is the concept of combining the critical pieces of software development with security assurance into an integrated and secure software development environment. Rather than testing and fixing the security of an application after it has been built, software developers are increasingly coding with an understanding of data protection requirements and methods at the start. The DevSecOps philosophy is a necessary improvement over DevOps, the methodology designed to deliver quality code faster.

At Peraton, this security mindset goes beyond software. “Security is baked into everything we do at Peraton, regardless of the project, from IT development to mission operations,” says Jim Schifalacqua, Peraton’s Vice President and Chief Information Security Officer. “Early on I was a proponent of the term SecDevOps because having secure development operations is really what it’s all about,” Schifalacqua adds. “But the DoD community likes to think of it as security being at the center of development and operations, so DevSecOps is fine with me!”

Peraton has built processes around DevSecOps to detect any flaws in code and other assurances for Supply Chain Risk Management. “No matter what we are developing, our customer know that we are focused on developing secure code using secure development process,” says Meyer.

To maintain this trust and ensure Peraton’s role as a critical provider in the national security supply chain, Peraton ensures that all cybersecurity controls, threat monitoring, and operational security is in place for the development infrastructure, in addition to performing DevSecOps for product development.

An example of Peraton’s DevSecOps work can be seen in the cross-domain cyber technology program for Xdomain Technology Through Research, Evolution, Enhancement, Maintenance and Support (XTREEMS). Peraton maintains a trusted-environment mentality and approach in the development environment for the Air Force Research Laboratory (AFRL), where critical high-assurance products are created.

The future of DevSecOps may be in the cloud, pointing the way to yet another variation on the acronym. “As more companies and agencies look to cloud-based services in place of custom-developed applications, the embedding of security into the integration and operations of the selected cloud services—which I call IntSecOps—will become just as valued as DevSecOps” says Meyer.  “As more companies integrate cloud services into their organization’s application portfolio, especially when consumed in a multi-cloud environment, they will need to ensure that they have a security-focused integration architecture that connects to, consumes, and administers their cloud services.”

Interested in supporting our DevSecOps mission? Check out Peraton’s open positions.