Adopting Agile DevSecOps in the U.S. Department of Defense (DoD) is not without its challenges, especially when managing open-source technologies. Technologies such as Git, Kubernetes and continuous integration/continuous development (CI/CD) pipelines are not just tools; they are the backbone of Agile DevSecOps strategies.
These technologies serve as critical enablers, streamlining and automating processes that were once cumbersome and time-consuming. They facilitate a shift from traditional, linear development models to more dynamic, iterative and responsive frameworks.
As I embarked on my dissertation journey, I found a passion for researching and writing about Agile methodologies and the implementation of DevSecOps in DoD software development.
In the evolving domain of military technology, the DoD consistently seeks to adopt innovative software development methodologies. The shift from traditional “waterfall” development methods to Agile DevSecOps represents not just a change in a development approach but a cultural shift in how software is developed, secured, deployed and maintained.
This transformation is vital in the DoD context, where the ability to rapidly adapt and respond to changing requirements and security threats can have far-reaching implications. The adoption of such technologies fosters a CI/CD culture. This approach enables teams to release updates and new features frequently and reliably, ensuring that software remains relevant, secure and efficient. In an environment like the DoD, where security and reliability are paramount, the ability to quickly iterate and deploy could be a life-saving adjustment.
Integrating quality and security measures into development was a major focus for the 12 participants, who are identified only as Participant (P) 1-12.
Their responses to in-depth interviews indicate that using automated tools like SonarQube and Fortify for early vulnerability detection is a key strategy. P10 stated: “The Fortify reports are then harvested and sent back to the team’s Slack channel … it is possible to have a merge request get approved, and then Fortify flag the code for vulnerability, and then we feed that back into Slack so the developer becomes aware.” This approach represents a proactive stance on security, ensuring issues are caught and addressed swiftly. P1’s approach to security was also notable: “We abstracted away security into the starter application.” This strategy not only streamlined security processes but also allowed teams to focus more on development, striking a balance between efficiency and security.
The human aspect of Agile DevSecOps, particularly fostering team dynamics and trust, was another key theme. P2’s emphasis on a blameless culture where problems can be openly discussed was a testament to the importance of psychological safety: “It is a kind of a culture; we are trying to foster empathy putting yourselves in other’s shoes … we need to be able to talk about it openly and try to create a blameless culture.” This participant’s statement highlighted the need for a supportive environment within the team and the end users.
Ten participants emphasized the importance of team interaction, collaboration and open communication. P11 provided a great initiative in setting up an all-day video conferencing room and allowing all team members and others to ask clarifying questions. This action fostered communication and collaboration. It was about more than just getting work done; it was about creating a sense of community and shared purpose.
The role of continuous feedback in Agile DevSecOps was evident in every conversation. Practices like user-driven development and CI/CD pipelines were crucial. P2 advocated for quickly getting capabilities in front of users to validate a product’s usefulness and make any necessary pivots. This approach emphasized the importance of user feedback in shaping product development. P12 also highlighted the operational efficiency of CI/CD pipelines: “The value that you really get out of that is the automation, the repeatable processes.”
Balancing innovation with security and stability requirements was another recurring theme. P1’s reflection on the DoD’s low-risk tolerance provided a candid look into the inherent tensions in this field: “In the private sector, high-risk tolerance is OK; we can go fast and break things, and in the DoD low-risk tolerance, we cannot … we do not want to lose lives; we do not want to risk our national defense.” P1’s statement shed light on the delicate balance between rapid development and security.
The study engaged a diverse group of software managers from various DoD software factories, encompassing a wide range of roles, experiences and educational backgrounds. Participants included product managers at various experience levels, platform managers, senior project managers, an agency director and a technical manager. Their field experience varied from five to 40 years, displaying a blend of emerging talent and seasoned expertise. Educational qualifications ranged from bachelor’s degrees to master’s degrees, with some holding relevant certifications such as Security+, Certified Scrum Master and Certified Kubernetes Administrator.
This varied group, including male and female participants aged 25 to around 74 years, provided a comprehensive perspective on adopting and implementing Agile DevSecOps within the DoD.
The core of the study was a series of in-depth interviews, where participants were asked various questions to probe their experiences and strategies in implementing Agile DevSecOps. Ten key questions guided the conversations, exploring different facets of software development management. These included inquiries about the organization’s overall approach to software development (project-based versus product-based), the adoption of Agile, DevOps or DevSecOps methodologies, and the factors that prompted any transitions. Participants were asked to describe the project management methodologies they used, especially any shift from traditional waterfall development to Agile models.
The interviews also delved into the cultural aspects influencing the adoption and execution of Agile DevSecOps, probing into the technologies and specific tools used, such as CI/CD pipelines, containers and microservices employed in the software development process. A critical area of focus was managing security within the development process, alongside the use of open-source tools and their impact on development strategies. Participants were encouraged to suggest ways the DoD could enhance its software development practices through Agile DevSecOps and to share personal strategies and experiences as project managers in this evolving domain.
The responses reinforced some well-established principles found in academia and DoD published guides, such as the DoD DevSecOps Playbook. Their responses also introduced new insights that deepened our understanding of Agile development cycles, particularly within the context of DoD software development. These findings offer a unique blend of practical experiences and theoretical knowledge, shedding light on both the common practices and the innovative approaches shaping this field.
One theme that was aggregated in the results was the methodologies and approaches used by the participants. The common thread was a shift from traditional project-based methods to a more dynamic, product-focused approach. Every project manager I spoke to emphasized the foundational role of Agile methodologies. P3 put it succinctly: “A product is more like it is going to last forever.” This quote showcased the shift toward delivering ongoing value. Another participant (P11) summed up Agile’s essence, stating that: “Agile is about iteration and continuous improvement.” This resonated with the overarching theme observed across all interviews: Agile is more than a methodology; it is a mindset that embraces flexibility and adaptability.
The insights gleaned point toward a more agile, responsive and secure approach to software development, which is paramount in a field where the stakes are incredibly high. The ability to rapidly adapt, iterate and deliver software solutions can significantly impact operational readiness and effectiveness. This is especially pertinent in the DoD, where technology plays a critical role in mission success and the safety of soldiers.
For more information, see the full publication at www.proquest.com/dissertations-theses/strategies-employed-project-managers-when/docview/2881662092/se-2 or contact the author for a copy of the publication.
Capt. Noe Lorona is an active-duty Army captain assigned to the Signal Branch. He holds several professional certifications, such as PMI CAPM, and six CompTIA certifications. He currently serves as a platform engineer for the Army Software Factory, where he plans, develops and deploys cloud architecture to support Agile application development.