DevSecOps is a set of principles and practices that provide faster delivery of secure software capabilities by improving the collaboration and communication between software development teams, IT operations, and security staff within an organization, as well as with acquirers, suppliers, and other stakeholders in the life of a software system.
To keep pace with potential adversaries, the Department of Defense (DoD) and government software development efforts need to deliver cutting-edge software capabilities quickly. However, as of 2012, the average development time from concept to deployment for major DoD IT systems was seven years, and in February 2017, the Government Accounting Office reported that the DoD “pays more than anticipated, can buy less than expected, and, in some cases, delivers less capability to the warfighter.” The budgeting process alone can take as long as two years.
With the increasing importance for developing and deploying new technologies, it is critical for the DoD to find ways of accelerating the speed at which it moves from concept to capability. DevSecOps has proven successful in industry for doing just that, with many companies increasing not only the velocity at which they deliver secure software to users, but their incident response capabilities as well. DevSecOps can increase system quality, reduce costs and capability time-to-value, and minimize cognitive differences among all key system stakeholders.
As a result, the DoD and other government agencies are invested in finding how to effectively apply these techniques to their projects. The SEI supports this work by researching how to apply DevSecOps in the DoD and government settings to deploy new technologies more quickly and ensure that those technologies are secure.
Better Software Faster
Since the SEI began its research on DevSecOps in 2012, we have become a recognized leader in the practice. The SEI integrates research on AI, software, and cybersecurity into its work in DevSecOps to provide solutions for DoD capabilities, acquisition, integration, and delivery of software.
In 2015, the SEI became the first federally funded research and development center (FFRDC) to work on implementing DevSecOps practices at the DoD. Currently, the SEI is engaged in several projects that involve the application of DevSecOps to complex, mission-critical systems development, as well as for reducing software cycle times and cost, and improving the sustainability of DoD platforms.
In the same year we began working with the DoD, we leveraged our expertise to launch the first course in the world on the topic of DevSecOps in the graduate program of Carnegie Mellon University’s (CMU) world renown School of Computer Science. The course was co-designed and co-taught by Hasan Yasar.
Since 2015, demand for our DevSecOps course has grown, and it is now offered every semester of the academic year at CMU. Today, we also offer the course internationally and have consulted with top-tier universities across the world to help them build their own DevSecOps curricula, including universities in Germany, Spain, Portugal, Rwanda, Turkey, India, and more.
Your organization can benefit from the SEI’s expertise. We offer training, mentoring, and engineering support for organizations that are new to DevSecOps or that are looking to optimize their techniques. Our experts can help you apply DevOps to your organization’s development, testing, and operational processes and create synchronous environments that enable you to deploy new capabilities and update current features securely.
We can also help you leverage DevSecOps to better meet the requirements set forth in various standards (e.g., IEEE P2675 DevOps and NIST 800-160), frameworks (e.g., DOD Architecture Framework), regulations (e.g., DoDD 5000.01 and DFARS), and strategic plans (e.g., the DISA Strategic Plan).
What We Offer
This webcast covered the implementation of an automated, continuous risk pipeline that demonstrates how cyber-resiliency and compliance risk can be traced to and from DevSecOps teams working in the SDLC program and project levels.
Join Us for
DevSecOps Days is a series of events hosted by the SEI that provides you with an opportunity to meet fellow practitioners integrating security into their DevOps practices. Learn about their journeys, share ideas on integrating security into your teams, and trade insights on automating security within the entire developer and production pipeline. We're putting the "Sec" into DevSecOps. See below for a list of upcoming DevSecOps Days and locations.
Fall 2020, Washington DC
September 2020, Philadelphia, PA
We are also community advocates for All Day DevOps Conference. (https://www.alldaydevops.com/spring-break)
The Latest from the SEI Blog
A Framework for DevSecOps Evolution and Achieving Continuous-Integration/Continuous-Delivery (CI/CD) Capabilities
February 15, 2021 • Blog Post
This post was co-written by Vanessa Jackson. The benefits of operating a development environment with continuous-integration and continuous-delivery (CI/CD) pipeline capabilities and DevSecOps practices are well documented. Leveraging DevSecOps practices and CI/CD pipelines enables organizations to respond to security and...read
November 16, 2020 • Blog Post
Julia Scherb coauthored this blog post. The Department of Defense's desire for faster delivery of new capabilities is transforming defense acquisitions. The emerging processes of digital thread and digital engineering aim to address the difficulties of managing complex and evolving...read
Our Vision for the Future of DevSecOps
The SEI continues to research DevSecOps to accelerate and assure software transformations. Our research program reaches a wide range of DoD and U.S. government organizations. In the near-term, the SEI is working to streamline continuous assurance via DevSecOps. In the future, our research aims to develop the next generation of DevSecOps that will be capable of integrating automated code repair and adversarial AI models, enabling the development of AI systems, and using AI in all phases of the SDLC to support DevSecOps practices and processes with smart decisions.
To stay up to date on the SEI’s DevSecOps research, subscribe to our blog.