March 9, 2021
I was recently asked how Wabbi‘s federal strategy is different from our commercial strategy. The answer is that it’s not. Both have teams look to ship software rapidly as a competitive advantage and understand security is a bottleneck when not deployed correctly. In some Federal organizations – especially the DoD – you could say they took a Kessel Run to leap ahead of some of the most advanced commercial development organizations in agile development methodologies because of the nature of their strict requirements and rapidly changing intel. So, why wouldn’t we want to go work with some of the top teams, solving the toughest problems that want to set a new standard in terms of how security is deployed as part of a rapid development lifecycle?
When we recognized they were facing the same challenges as our customers – enterprises who’d chosen to undergo DevOps transformations to remove bottlenecks from their SDLC, and then realized security remained one – we began the SBIR process. And today, we are thrilled to announce that Wabbi been awarded a Phase I SBIR to support the software factories of the U.S. Air Force and U.S. Space Force deploy Continuous Authority-to-Operate (ATO).
Continuous ATO may seem like just another government TLA, but in reality, it’s how every rapid development team is striving to integrate Security into DevOps. They want to:
- Categorize the project based on specific attributes
- Select (or rather, automatically assign) the policies that are required for that project type
- Implement the policies by giving their developers have the information in their workflow – and allowing them to provide feedback
- Assess automatically whether or not the rules have been followed and, when they haven’t, and why not?
- Authorize the application to be released only when it meets the standards
- Monitor and manage continuously as the business requirements, application scope, and threat landscape change
For those that think we just outlined their ideal AppSec process, these 6 steps are the process of Continuous ATO.
Software and security are living and breathing things, so it’s not just one-time that you need to check that your application is up to security standards. It needs to be continuously monitored and authorized. This does not change whether you are a commercial or a government enterprise.
SolarWinds is a great example of an event where not just the government, but most large enterprises had to change their policies overnight and roll them out with efficiency and precision. They needed to quickly understand which applications were impacted and figure out in what order to fix those projects. Without security deployed as an integrated and automated part of the SDLC, you can’t do that.
In engaging with the U.S. Air Force for this SBIR, we’re thrilled to have the opportunity to work with some of the top innovators in the world to evolve how security is deployed in modern development infrastructure. Like the commercial sector, they realized that shipping software was a tactical advantage in supporting their customer – the warfighter – and began deploying rapid development methodologies. Now we see them at the forefront of the DevSecOps and SecDevOps revolution, both top down from Platform One and bottom up with the individual software factories, like Kobayashi Maru, SpaceCAMP, and Kessel Run.
They understand that for security to be integrated into their development infrastructure, there must be flexibility to set the requirements by project. The standards for a training app are going to be different from the standards for a mission critical drone and different for the standards for the mess hall. Actually, the standards for the software that supports the mess hall are probably just as high as those for a mission critical drone!
The team at Wabbi is unbelievably excited to be working with the AFWERX team and look forward to advancing this relationship, and the challenges and use cases they will bring to Wabbi, as well as how we can share our expertise with some of the most cutting edge teams out there.
We are passionate about the work we are doing at Wabbi to help DevOps teams across all industries deploy security in their workflows. If you want to learn more about our innovative process, let’s connect!