Software

How the Air Force’s P1 Uses Platform Engineering to Support DevSecOps

Software factories need a consistent foundation to keep making products.

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

Software factories have proved to be a speedy way to create and deploy new software applications. DevSecOps helps software factories develop and implement new digital capabilities more rapidly.

Now, many federal agencies are taking the next step in DevSecOps by deploying platform engineering, which helps create a foundation that underpins the factory model.

The Air Force’s Platform One, for example, is the first DOD-approved DevSecOps managed service, providing a secure centralized software development and delivery platform, a suite of tools and training.

A modern cloud-era platform, P1 provides valuable tooling, supports DevSecOps pipelines and offers a secure Kubernetes platform for hosting microservices.

Click the banner for information on how to leverage DevSecOps with platform engineering.

What Is Platform Engineering?

Platform engineering refers to “the discipline of designing and building toolchains and workflows that enable self-service capabilities for software engineering organizations in the cloud-native era,” according to platformengineering.org, a professional community of practice.

Overall, platform engineering pulls together common components and processes so that developers don’t have to reinvent the wheel for every new project.

“We don’t want it to be a discovery exercise every time a program wants to do DevSecOps,” says P1 Materiel Leader Lt. Col. Brian Viola. “Instead, we want to commoditize DevSecOps so that the rest of the ecosystem can focus on new innovations.”

EXPLORE: Improved cybersecurity logging gives agencies better network visibility.

Through platform engineering, P1 can turbocharge DevSecOps efforts. “Platform engineering improves the software developer experience by simplifying how a software developer accesses and uses the tools and infrastructure needed to safely and consistently build, test, stage and operate software,” he says.

This makes it easier for developers to use commercial tools to cyber-secure their outputs, he adds.

“We want to leverage commercial, off-the-shelf products, free and open-source products, through a more transparent mechanism, pulling those into the ecosystem on a daily basis and getting those out to the production environments in a matter of hours,” Viola says.

We don’t want it to be a discovery exercise every time a program wants to do DevSecOps. Instead, we want to commoditize DevSecOps so that the rest of the ecosystem can focus on new innovations.”

Col. Brian Viola Materiel Leader, Air Force Platform One

How Does Platform One Support DevSecOps?

Within the Air Force, P1 “provides a curated, supply-chain secured set of DevSecOps capabilities needed to deploy Kubernetes-based platform environments. We address supply chain risk upstream through Iron Bank, Platform One's hardened container image repository,” says Viola.

P1’s main offering is Big Bang, “a value stream that delivers customizable infrastructure and configuration as code, pulling in those hardened containers that a particular mission can tailor for their specific needs,” he says. This can help a DevSecOps team deploy its own platform with tools designed specifically for its mission.

“We also operate a managed Platform as a Service that we call Party Bus,” says Viola. “This is a secure, multitenant and multiclassification environment providing development, staging and production environments.”

The Party Bus service has a continuous authority to operate. The cATO is a framework that provides cybersecurity updates on an ongoing basis and does not have to be renewed, unlike an ATO, which must be renewed every few years — a process that can delay development and platform onboarding.

“With the rapidly evolving requirements that we see today, and with software underpinning many of the capabilities that we have, DevSecOps supports the Air Force in delivering new capabilities to the warfighter faster,” Viola says.

Learn how to use FinOps to forecast cloud costs.

Explore how agencies are streamlining application development.

What Are the Benefits of Platform Engineering?

Today, software developers face an enormously complex set of technologies as they seek to securely develop and operate software at enterprise scale. Platform engineering simplifies “how a software developer accesses and uses the tools and infrastructure needed to safely and consistently build, test, stage and operate software,” Viola says.

“Instead of developing software that already exists or using existing software components with dubious origins and vulnerabilities, software development activities across DOD reuse vetted, hardened and standardized software components that Platform One has already secured,” he says.

This reusability lowers potential misconfigurations, which are “the greatest cause of self-inflicted security vulnerabilities,” he says.

Organizations that leverage P1 “also do not have to invest time and money relying on expensive and hard-to-find platform engineering and security talent to reinvent what Platform One already provides,” Viola says.

This has significant implications for both personnel and budgeting. “We invest heavily in the engineers that we have on the team. Today, 70 Department of Defense programs use Big Bang. Each of these programs now do not have to hire engineers to do what P1 has already done,” he says.

70

The number of DOD programs using the Air Force’s Big Bang product for DevSecOps

Source: Air Force

Platform Engineering and Platform One Supports Maturity

P1 demonstrates the potential for platform engineering to make government software factories more efficient and effective.

Through P1’s offerings, platform engineering “helps DOD software teams shift away from legacy tools that are out of date and not well integrated, resulting in a fragmented and expensive developer experience that is extremely difficult to keep secure,” Viola says.

With state-of-the-art software components, P1 supports modern DevSecOps practices at the right security levels.

“The DOD categorizes information in the cloud based on impact levels. These levels correspond to various subcategories of unclassified and classified,” he says. “By having a common platform across those levels, DOD software teams develop at the unclassified level and then promote the software to higher classification levels. This enables them to process more sensitive data without the need to change the software’s underlying code.”

It also helps the DOD find enough people to keep software factories running. “We can tap into a wider pool of scarce software talent at the unclassified level, rather than relying on a limited pool of the right technical talent with the right security clearance,” Viola says.

Finally, platform engineering brings a modular approach to software development, making it easier to adjust applications as mission requirements evolve.

“In the past, software applications were written in such a way that making any changes, no matter how small, would often break the entire system, because many parts of the software depended on how the other parts functioned,” he says.

P1 “provides capabilities as small pieces that we call modules. They make it extremely easy to change just one module and still maintain the functionality of the entire system,” he says. “This ease in safely making changes encourages faster changes to software, which helps programs respond to changing needs of users or evolving cybersecurity threats posed by adversaries.”

This is key to maintaining military readiness. “We're in a great competition against our adversaries to maintain our technical superiority. To do that, you have to move at a pace of relevance,” Viola says. “The platform enables that.”

Getty Images