DISA to launch 'Vulcan' DevSecOps program

Alex McFarland speaks during a fireside chat at Trellix's Cybersecurity Summit about the launch of DISA's Vulcan program. (DefenseScoop photo)

The Defense Information Systems Agency‘s cloud hosting and computing office is in the process of developing a continuous integration, continuous delivery (CI/CD) program called Vulcan to help spread DevSecOps software development principles and tools across the agency — and potentially wider.

Alex McFarland, the technical lead for Vulcan in DISA’s Hosting and Compute Center, described Vulcan as similar to the software factories popping up across the Department of Defense, like the Air Force’s Kessel Run and Platform One, which have been instituted to specialize in scaling modern, agile software delivery across mission sets.

Speaking during a panel at this week’s Trellix’s Cybersecurity Summit, produced by FedScoop and CyberScoop, McFarland shared the vision for Vulcan as both a toolset for developers “to help bootstrap some of these [DevSecOps] processes” — things like CI/CD and collaborative tooling to jumpstart their secure, modern software development efforts — but also a mechanism to spread the cultural transformation associated with such modern software workflows.

“One thing I promised myself, I just didn’t want to sell a program,” McFarland said. “I want to sell them with cultural change in the work management side of it. Because if you’re going to effectively use these tools, if you adopt CI/CD practices, but then you’re only deploying quarterly … what have you really changed, right? Like how much have you actually improved it? And if we’re not working across silos and collaborating better, then we missed the mark, I think.”

The DevSecOps idea behind Vulcan — named after the Roman god of forging and engineering — is that with the right tools and best practices on the security and compliance side, developers can continuously make small updates to software on a continuing basis rather than waiting for the expiration of an authority to operate to make a big, lengthy push for recertification.

“Let’s keep trickling changes in and stay compliant and figure out that fast feedback loop: Well, that didn’t go that well. What can we do different, where can we speed it up? … Where was the lag?” McFarland explained. He added that with these constant small changes and “all this testing, we’re increasing safety” in systems.

Currently, Vulcan is offering some free open-source tools through GitLab, but McFarland expects to expand that to a fully supported, accredited environment early next year with the program’s first customers.

The plan is to start small and to bring change incrementally across DISA to partners who can benefit from outsourcing some of their secure software development stack, before then “opening up wider and wider as we go,” McFarland said.

In the federal government, “we have a lot of legacy applications. And legacy applications are sometimes more difficult to do infrastructure as code and modernize in this way,” McFarland said of working with partners across DISA and the DOD.

“I think bringing some of this stuff to bear is going to be really interesting. And this is where you know, your first bite, sometimes it’s the way you manage work and not necessarily refactoring the whole system,” he said. “Like there gets to a point where you do refactor your code base to achieve the velocity you want to achieve. But you can also make things better just by having these conversations and talking and doing DevSecOps without having to change the whole thing.”