Listen to article:
By Jeff Urlwin
Vice President, Federal Managed Services
and Neiland Wright
Cybersecurity and DevSecOps Director, Business Development
If you’re a proponent of the DoD’s adoption of software factories, you already understand that these DevSecOps-as-a-service environments improve software development outcomes, increase transparency, reduce costs, and enhance security.
You also understand that the department has some hurdles to overcome before its software factory adoption can attain full speed. Among those hurdles are several misunderstandings about software factories — misunderstandings that have grown prevalent and become myths.
Here are four DoD software factory myths and some information you can use to debunk them. By debunking these myths, you’ll help champion the modernization of DoD software development and ultimately help the department evolve and adapt faster than its adversaries.
Myth 1: Software factories create more security concerns and an increased attack surface.
Truth: The comprehensive security measures inherent in DevSecOps and software factories make them a more secure option than traditional software development practices. One reason people believe the opposite is that they incorrectly assume that software factory’s numerous tools, scripts, and processes equate to a larger attack surface.
DevSecOps practices integrated into software factories are specifically designed to prioritize security throughout the software development lifecycle. By embedding security measures into every stage of development, DevSecOps helps identify and address vulnerabilities early in the process, reducing the overall attack surface.
Traditional software development approaches often treat security as an afterthought, leading to vulnerabilities that are discovered late in the development cycle or after deployment. In contrast, DevSecOps promotes a proactive security posture, with automated security testing, continuous monitoring, and rapid response mechanisms.
Software factories also enable standardization and automation of security processes, ensuring consistent application of security policies and controls across projects. This centralized approach enhances visibility, transparency, and accountability, making it easier to manage and mitigate security risks. This also helps teams break down silos of information — as development, testing, and security teams all work from the same processes and reports.
Myth 2: It will be too difficult for the DoD to collaborate across service branches and joint programs, as it is still locked into a “not made here” mindset.
Truth: The collaboration is already happening! There’s daily cross-service collaboration at each of the current DoD software factories and a thriving DoD community of practice for DevSecOps practitioners.
Software factories, by their nature, promote collaboration and standardization by providing a centralized platform and set of tools for development teams to use together. By establishing common processes, tools, and standards, software factories facilitate interoperability and integration across service branches and joint programs.
Myth 3: We need more proof that software factories and DevSecOps will improve DoD’s software development program.
Truth: In fact, the efficacy of software factories has been extensively documented. Numerous software factory case studies from government agencies and major technology companies have shown significant improvements in software development processes.
The DoD alone has conducted 11 independent studies that show the success of programs transitioning to DevSecOps and the software factory approach. Studies and reports consistently demonstrate improved software development outcomes — including faster delivery, higher quality, reduced costs, and improved security.
So, the idea that more proof is needed overlooks the substantial evidence already available.
3 Studies That Document the Benefits of Software Factories:
Personnel Needs for Department of the Air Force Digital Talent: A Case Study of Software Factories
Kessel Run: An Innovation Opportunity for the US Air Force
Case Study: Modernizing the US Army to Improve Soldier Well-Being
Myth 4: DevSecOps pipelines are expensive, hard to set up, and hard to understand.
Truth: While organizations setting up software factory pipelines can choose commercial tools and incur license costs, they can also choose open-source components. So, it’s possible to reduce infrastructure and license costs for a DoD software factory pipeline to the costs of compute and storage alone.
The DoD Enterprise DevSecOps Software Factory specification is intentionally designed to avoid expensive vendor lock-in and leverage open-source components that meet industry standards, such as the Open Container Initiative (OCI) and Cloud Native Compute Foundation (CNCF).
Also, the overall time and complexity associated with configuring, securing, and integrating DevSecOps pipelines is significantly reduced by software factory implementation. A key benefit of software factory implementations is that they give you the ability to create integrated, on-demand pipelines with your choice of components. You can integrate your teams into the factory, such as security and management for approvals, to provide greater transparency around the status and readiness of releases.
Finally, because the pioneering DoD software factory programs of the past six years have set the precedent for the necessary tools and associated automation, obtaining permission for implementations is now easier for organizations just getting started.
Let’s Debunk the Myths and Modernize Across the DoD
By debunking these myths, you can help DoD decision makers understand the immense benefits of software factories: from exponentially faster delivery times and greater efficiency to built-in governance and improved security, visibility, and testing capabilities.
This understanding will, in turn, help the department carry out its software modernization strategy, so it can evolve faster than its adversaries and deliver a more lethal force.