Recently, CIQ participated in the Intro to DevSecOps for Government Systems, a 2-day virtual event + DevSecOps Industry Day from November 29th-December 1st. As part of the event, CIQ's Paul Nathan and Timothy Serewicz of the Linux Foundation jointly presented The Power of Open Source - Intro to DevSecOps for Government Systems.
Here’s a brief summary of their key points:
Open source is more than just a tool. Open source software is not just about using the software; it’s about the culture, the process, and the broad understanding of how you can deliver results when pivoting to this new way of working.
Think about open source as a change accelerator. As opposed to commercial operating system software, which only rolls out major changes every year or so, industrial-quality open source software projects are able to release major changes quickly, which include backing by many large industrial software shops. In addition, collaborating in open source working groups enables innovation at a community scale—sharing ideas and collaborating with others can actually help build a competitive advantage.
In order to integrate open source into your organization, you need to be prepared to move at the speed of open source. To get started, you need to:
- Assess your key organizational outcomes.
- Define the fundamental required elements for a process that will deliver the outcomes.
- Find tooling that meets your process needs.
You should also consider these as best practices:
- Implement a SecOps process that will pull in the latest upstream, qualify it, and release it at a cadence of your choice.
- Select representatives to engage with the open source community (which includes independent developers, contractors, companies, and governmental organizations). By becoming an active stakeholder, you can help influence how the open source projects are proceeding.
Work from your requirements to your process to your tools. Then, build your stack, or select a premade stack that might be present in your wider organization.
Define the environment in which you launch your software. Develop a workflow to assess it, test it, and deploy it.
To learn more about security in open source software for government systems, view an example of what a process implementation looks like, and much more, please watch the presentation in its entirety, and be sure to subscribe to our CIQ YouTube channel.