The Big Picture
Software factories will be pivotal to the operational performance of the Air Force in the over-the-horizon future. DevSecOps offers a new potential to increase agility, shorten release timelines, improve reliability, and lower costs for building secure software applications. Additionally, by exploiting open-source frameworks and languages for quick starts, DevSecOps represents a modular, adaptive, and flexible approach to software development, which is key to making better code faster. Allowing the Air Force to deploy capabilities more quickly, embrace and learn better from fail-fast approaches and build more robust software products, DevSecOps will be vital for effective warfighting in the future battlespaces anticipated by the Air Force. Cultivating ecosystems to allow digital innovation to occur will, however, need traditional ways of working to change if the Air Force is to become capable of building, acquiring, and delivering software at speed.
Software and Warfighting
Software is indispensable for integrating sensors and shooters from the ground up to space. Moreover, it defines the vast majority of mission-critical capabilities today for the Air Force and sister services. With mission performance increasingly impacted by the ability to develop and deploy software faster than the next operational threat, there is a decisive advantage to be gained for the Air Force if it can lean into rapid software development to generate customized, on-demand solutions to warfighter needs. However, despite the advantages it can unlock in an era of accelerating digitization and automation, building enterprise software quickly and securely remains a complex endeavor. For best results, teams of agile development experts must be matched with the supporting infrastructure, laboratory environment, and product development frameworks that do not fit easily into traditional organizational structures and ways of working for military services.
The challenge of building custom enterprise software in the defense context is compounded by security criteria that drive compartmentalization and rigid environmental controls. Traditional barriers to software development at large have been related to the inclinations of military users to demand bespoke solutions, even when requirements across a user or enterprise community justify common approaches and shared solutions. Focusing on proprietary solutions developed using closed frameworks, military users have instead opted for products that are more time-intensive to develop, test, deploy, and upgrade, requiring custom code and repetitive processes carried out by different teams across the software product lifecycle. There is now a realization that creating robust, scalable, and secure software that can quickly be deployed and enhanced to support constantly changing operational requirements with agility is pivotal to fighting and winning in the future battlespace.
Building Better Code, Faster
To succeed, the Air Force’s enterprise software services must become vendor agnostic and embrace agile and open frameworks for development. To make better software products faster, approaches that can break down stovepipes and silos in the way of better information-sharing and, crucially, deeper collaboration across developer and user communities are necessary. DevSecOps is a methodology combining software development and IT operations to rapidly create, deploy, and use digital applications. With developers and users working side by side to create and test new software, make improvements, and push out upgrades quickly, the lifecycle stages of the DevSecOps framework – Design/Plan; Build; Test/Verify; Release; Deploy, and; Monitor/Runtime – address traditional disconnects between software development, operations and security for military enterprises such as the Air Force.
By condensing the timelines between warfighters and users, providing feedback to developer teams, and capitalizing on common code whenever possible, the ability of development teams to turn around and push out incremental improvements more quickly is tremendously enhanced. Making a high percentage of code shareable for developers contrasts with programs in recent years where proprietary software has been developed from scratch but can deliver products more rapidly and at a lower cost without compromising high-performance attributes. DevSecOps also draws cybersecurity thinking and practices into the design and development phase. Security is, therefore, built-in from the beginning and continuously improved throughout the development cycle rather than visited at later stages of product development.
‘Baking in’ zero-trust security from the first source code enables a more advanced risk posture. It frees software development teams to be more experimentative in product development as well as to be able to release software faster. Removing the need for lengthy security sign-offs, DevSecOps offers a way to make possible continuous delivery with comprehensive security, which provides the basis for a continuous authority to operate (cATO). Allowing for a vast amount of automation to be built into the product development process, together with ‘containerization,’ which resolves the challenge of getting the software to run reliably as it is moved across different computing environments, developer teams using DevSecOps can create and deploy more secure, more dynamic applications faster.