Managing Software Exposure Using JETS Defense

By: Darren Cummings, DoD/Cyber Leader

Today’s software development environment is largely defined by a focus on reducing time-to-market through embracing a DevOps organizational structure and an Agile continuous delivery model. Beyond simply driving the bottom line, integrated continuous delivery is seen as enabling a long list of positive outcome “bonuses” such as improved customer satisfaction and accelerated innovation.

But as they transition to the modern development paradigm, many organizations find themselves struggling to adapt their security models in parallel so that they can continue to meet their security objectives; a discomforting situation for any team but clearly unacceptable for those in aerospace and other safety-critical industries. Performance Software’s JETS Defense virtualization platform is built to support the unique demands of developing for safety-critical systems. In this post we’ll take a look at how JETS Defense can help to better align security and quality assurance in a continuous delivery model, unleashing your DevOps teams to operate at full speed without sacrificing standards.

Multiplying Vulnerabilities and New Threat Spaces

When we consider the security and other governance challenges of modern software development, rapid development and deployment are only the tip of the proverbial iceberg. Today’s methodologies and approaches are rich with modular microservice architectures, hosted environments, third-party integrations, and other practices that multiply vulnerabilities and open up entirely new threat spaces.

Meeting these challenges calls for a new vision of safety and security. Enter software exposure management, an emerging discipline that reaches past simply testing code for vulnerabilities and looks at risk more holistically across both the code and the organization.

There is a tremendous value to be gained from harmonizing security with the development process. In the traditional, stovepiped IT organization where security is separate and apart from development, security and quality assurance comprise a set of activities that stop development in its tracks. Whether these activities take place at the end of development or are sprinkled as gates across the lifecycle, traditional quality assurance typically leaves the development team waiting either for an approval to proceed or a rejection that sends the team back a step. As a practical matter, this approach to quality assurance can erode much of the gain achieved through rapid development methodologies.

In an organizational evolution that is reminiscent of the broader DevOps movement, effective management of software exposure is rooted in a transition of security and quality assurance to be more embedded in the development rhythm and to operate seamlessly throughout the development lifecycle.  This re-envisioning means that developers now have more ownership of security and quality assurance and are therefore compelled to view these functions through a different lens. To be successful, they need tools that have a natural fit with their existing workflow and support an expanded, unified perspective of the systems they are designing and maintaining.

Virtualization as a Security Enabler

The JETS Defense virtualization platform delivers powerful capabilities to help drive software exposure management deeper into the DevOps workflow while mitigating some of the pain frequently experienced when organizations make this transition, such as diminished productivity, loss of flexibility, and reduced responsiveness, all leading inevitably to morale issues on the team.

JETS Defense’s virtualization is capable of simulating a wide variety of processor and OS configurations and can provide developers a highly scalable, highly reliable, system-of-systems testbench environment. This system-of-systems environment is key to breaking the bonds of traditional point-solution testing paradigms and opening the aperture to view the software exposure surface in its full and accurate context.

JETS’ faithful replication of the system under test is particularly helpful in the tightly regulated environment of aerospace software development with its formal certification processes and rigorous requirements for standards compliance. Even when the realities of aerospace release protocols prevent true continuous delivery, JETS Defense can enable your organization to reap many of the benefits of DevOps by implementing a continuous delivery model where releases are made into the virtual environment.

Virtualization dramatically increases the number of test systems available while dramatically decreasing the cost of providing such systems. Developers can each have their own copy of the baseline. They will test more often, and their tests will be more accurate. Because the system-of-systems is fully replicated, the true impact of any changes can be assessed early in the lifecycle, when any necessary mitigations are easiest and least expensive.

Modern software development needs modern tools to manage risk while optimizing productivity. If your organization is ready to take software exposure management to the next level, contact Performance Software today and let us tell you more about how JETS Defense can help you achieve your objectives.