035 – “PRC2 and DevSecOps”
Author: Brent VanDerMeide
Author email: brent.vandermeide@us.af.mil
Author phone: 801-989-6360
Company: USAF
The PRC2 team’s most recent success has been taking an organic team that was entrenched in following an out-of-date process known as waterfall software development and embracing an effective method known as Agile which is similar to many leading industry practices. These rapid releases and ability to adapt to change suits the team well in expanding into the agile methodology known as DevSecOps. DevSecOps incorporates the software development, security and operations all in one synchronized two week release cycle, known as a sprint. These sprints have provided the team the ability to adjust to rapid changes, so as new threats or needs arise from the warfighters, our team is ready and able to adapt to changes and provide them with the needed capabilities as soon as possible.
This new way of developing didn’t happen overnight and it took the entire PRC2 team working together. It required extremely close collaboration with our stakeholders. Daily stand-up meetings to discuss status, weekly requirements planning and bi-weekly demonstrations of new features are a few of the changes. The team has had to come together to navigate through the maze of established policies, regulations and processes to show that rapid agile development is not only possible but exceeds the current level of quality standards that is expected from our warfighters. The team took a process that would include taking several months of negotiations over requirements and estimation, months software development, up to 8 weeks of internal and external testing, up to 2 months addressing defects found and waiting an additional 6 weeks for a fielding decision. So when an urgent new feature was required by the warfighter they could expect to see it in a year or more. The team realized that the warfighter deserved better and that there were ways to improve.
The team re-designed the development process by automating many of the tasks that were manual and prone to error. Amongst these tasks included; code quality and security scans, penetration testing scans, user testing, and full configured documentation. This process which once took several weeks can now be accomplished in approximately 1.5 hours. The previous testing methods required manual input which was not only time consuming but also prone to user errors. The internal and external testing would last approximately six weeks with several of those weeks at an offsite location resulting in high travel costs to the project. The team also reached out to our external stakeholders and started getting their buy-in to this methodology. After 9 months to develop this process, automation tools, and getting our external stakeholders to buy-in, we have released 8 new releases on two product lines in less than 3 months. These releases contained critical security updates, new user requested features, and corrected existing errors. Our customer and end users see these updates in weeks now instead of years.