Over the last 30 years, the DoD has struggled to adapt to the ever-changing world of software development. Of these many struggles, implementing Agile software development and practicing systems security engineering are two struggles that continue to plague the DoD. In an attempt to overcome both of these hurdles, this paper presents a Software Assurance approach that is tightly woven into the Agile software development lifecycle and emphasizes the benefits that Agile development best practices can have on the security posture of a software system. First, we review the DoD’s adoption of Agile software development, including how to tailor Agile for DoD development. Next, we examine Software Assurance best practice and how they align with the Agile software development process. Finally, we discuss how an Agile approach to software development and the implementation of DevOps can improve a team’s ability to maintain a high security posture.
Agile Development in the Department of Defense
Building and delivering software in incrementally has always been a part of software development. The commercial world has been modifying and enhancing that process since the publication of the Agile Manifesto in 2001 [1]. The Manifesto identifies 4 values:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
These are then explained based on 12 principles that outline a high level, highly collaborative, time boxed process that focuses on delivering working software to users and provides a method for adjusting to changes in requirements. Since its publication software has become more complex and is now the most costly effort in almost all DoD programs [2]. In response, the DoD has adopted many of the Agile development practices made popular by the commercial industry. The many struggles of that adoption were documented in the 2012 GAO report [3] and five years later the DoD continues to struggle.
A barrier to adopting a true Agile methodology is often the Acquisition process and the strict requirements that are placed on government program offices. Even as industry has evolved to only offer Agile solutions, those solutions must be tailored to fit within Acquisition. The constraints placed on any Agile implementation are confined to the time between the finalization of the Capability Development Document (CDD), which defines all requirements for the entire period of performance, and operational test, which is designed to determine the program’s ability to meet CDD requirements. These two road blocks which are essential to the acquisition process are fundamentally in opposition to Agile’s flexible requirements and user interaction throughout development. As development methodologies continue to move further from rigid requirements, programs remain confined by requirements that must be defined prior to contract award and eventually tested to with limited operational test interaction in development.
Despite these constraints, the defense industry has developed its own variety of Agile that derives many of the benefits of the Agile process while still meeting the requirements of acquisition. What is lost in the adherence to Acquisition is the flexibility in user requirements that evolve throughout the development lifecycle. What is retained is the built in quality that comes from the cadence of Agile development. Through this cadence, DoD programs can apply and maintain software assurance best practice throughout the life of the software.