Agencies starting DevSecOps can access new ATARC code repository

The nonprofit Advanced Technology Academic Research Center plans to help federal agencies start DevSecOps practices with a source code repository announced Monday.

The GitLab platform agreed to provide the ATARC DevOps Working Group access to its technology so teams can collaborate using source code management.

The working group’s DevSecOps Project Team will create a continuous integration, continuous delivery (CI/CD) software pattern — which leverages automation during development, testing and deployment — that agencies can use as they begin DevSecOps. 

“The end-state of this code repository will hold one, two or more working code snippets for each
CI/CD DevOps pattern,” said William Schwartz, a senior DevOps engineer with the Internal
Revenue Service, in the announcement. The code examples will enable agencies to “implement their own instance of the standard CI/CD pipeline template,” he said.

Experts say most federal agencies remain in a “waterfall” mindset, where security is tacked onto the end of software development, rather than fully integrated in the process. With that in mind, the National Institute of Standards and Technology wants to develop a DevSecOps framework for government.

Areas within the ATARC repository include:

• Stages of the CI/CD pipeline development.
• Managerial processes and theories.
• Technical tools and applications.

The ATARC Software Factories initiative in April 2019 began preliminary work on the CI/CD pipeline included in the repository.

Tools and apps in the repository will include those used by agencies and industry for software development and delivery.

The DevOps Working Group uses an industry-standard branching strategy called GitFlow that allows the team to maintain a “production-worthy” codebase while providing branches for development, testing and debugging work.