Case Studies culture Customers devops security Tanzu Labs

Treating Security Like a Product at the U.S. Army Software Factory

Security is a constant concern for businesses large and small, public and private. Data breaches and software supply chain attacks are occurring more and more frequently. A growing gap in the cybersecurity workforce is hampering security efforts in every type of organization. And with the average cost of a data breach currently at $4.24 million, leaders have significant motivation to look for new and innovative ways to mitigate cybersecurity risk in their organizations. 

The U.S. Army is no exception. Alex Barbato, solutions engineer at VMware Tanzu Labs, worked with Hannah Hunt, chief of product at the United States Army Software Factory, to build a robust, compliant, and more resilient software development process to deliver applications to production. 

The talent gap 

As Hunt recently explained in their joint talk at SpringOne 2021, "Organizations are increasingly risk-averse and also unwilling to articulate their risk tolerance." This has resulted in significant security and compliance struggles within organizations. Small organizations may underestimate their cybersecurity risk profile, leading to security breaches, and some lack the expertise needed to harden and secure their infrastructure. Enterprise organizations also struggle with ransomware attacks and attracting security talent. These problems are acutely felt in the U.S. federal space, where cybersecurity positions may be classified as IT specialist positions and staffed with underqualified or undertrained personnel. To overcome these challenges, according to Hunt, security needs to be treated like a product.  

The problem with a Risk Management Framework 

The U.S. federal government utilizes a set of guidelines called the Risk Management Framework (RMF), initially created for the Department of Defense, to assess risk in a cybersecurity posture. It is a prescriptive process that integrates physical security, privacy, cybersecurity, and risk management into the software development lifecycle. The seven steps within the process allow security personnel and developers to understand the risks and impacts of a project, sort these risks into clear sets of controls, and then assess their progress against these goals. However, the problem with this approach to cybersecurity is that adherence to these measurements leads to numerous spreadsheets and lengthy compliance documentation that eventually balloons out of control. Leadership starts to lean more and more heavily on the goals presented in the RMF. As a result, documentation becomes the central fixture of security rather than actual practice and implementation in secure software builds. 

Using control insights to deliver software securely 

Controllable input metrics are purposely chosen measurements based on leading indicators that result in the desired output metrics. Barbato believes that the controllable input for security is control insights. For software delivery organizations, control insights are responses to identified potential threat vectors in the software delivery system. These responses can be derived from any number of relevant frameworks or controls like NIST 800-53, OWASP, or CIS benchmarks. Every organization needs to determine which control set works best for them and, most importantly, use feedback to adapt the framework and make it viable and useful for them. Moreover, defining the controllable inputs is a way cybersecurity personnel can help contribute to desired business outcomes while maintaining a cybersecurity posture in application development.  

Defining control insights is only the first step. Organizations also need to have measures for success based on business and security concerns. These measures can be established in many ways, including simulating business load, penetration tests, or running mock security breaches. Hunt and Barbato used roadmaps and objectives and key results (OKRs) to measure the success of their secure software delivery program. Another vital step in their process was implementing automation. They reduced toil by automating tests and scans, which helps maintain security and consistency in the software development cycle. Once established, they gathered feedback from stakeholders and used that to iterate on the process. Defining and using control insights with measures for success, automation of tasks, and integrating feedback loops allowed the organization to move toward more security-focused outcomes instead of focusing on complicated spreadsheets of risk management indicators. 

Bridging compliance and development needs

Hunt and Barbato utilized a "team of teams" model wherein the cybersecurity team works together with the platform and user-facing application teams as a complete balanced team of services to get applications into production. As an organization expands, they may add roles and teams to this larger team, like penetration testers and security assessment groups. However, in the U.S. Army Software Factory, the demand for a particular role arose due to a need to bridge the gap between application teams and compliance and security controls. To meet the need, they developed a position called the application security validation engineer (ASVE).  

The ASVE is a code-first role with a focus on soft skills. This individual requires a high level of empathy to work between security, application development, and platform engineering teams. Often, miscommunication and misunderstanding occur between these teams due to competing goals, poor implementation practices, and misaligned incentives. The ASVE helps align teams and keep them moving toward a common goal while removing blockers and enabling collaboration and communication. 

When input controls, measurements, and defined goals are integrated into application development, security becomes part of the overall process and the final product instead of an afterthought or roadblock. Treating security like a product garners buy-in from the application team to focus on security outcomes during app development. It makes security more tangible and usable. Hunt and Barbato leveraged their team of ASVEs along with OKRs and roadmaps to implement and scale secure application development. With balanced teams working toward the same goals, they've been able to deliver multiple applications, like MySquad, to production and prove that security doesn't need to be a hurdle for organizations to stumble over.  

For a more in-depth look at this program, be sure to check out their presentation from SpringOne. And learn more about how VMware Tanzu Labs can help you transform your organization