Low-to-High-Side Development

By Marc Kriz, Strategic Account Leader of National Security Programs, GitLab

The stay-at-home orders put in place at the start of the COVID-19 pandemic were a catalyst for the rapid – and previously unprecedented – adoption of remote work in the public sector. This was particularly challenging for the intelligence community, and other departments working in primarily classified, or high-side environments.

For decades prior, software development in the public sector could only occur on-site. When the stay-at-home orders were put in place, government leaders were forced to either slow down development by utilizing a reduced team of essential personnel, until all teams could return back to the office, or adjust to the new way of working – through low-to-high-side development enabled by the adoption of DevOps technology and culture.

Government agencies varied broadly in their approaches to implementing remote work. The agencies that focused on low-side – or unclassified – development were able to keep their missions going, and found an increased ability to develop code on the low side much faster than they could ever before.

As remote work continues to solidify its place as the new way of working, it’s critical to create new processes that allow developers to work remotely while still being part of the development process. Let’s walk through how to bring low-to-high side development to life, and the tools and organizational shifts necessary to do so.

Why Implement Low-to-High-Side Development?

Low-to-high development is critical to improving speed-to-mission, developer productivity and experience, and most importantly, creating more innovative products, all while remaining secure by design. Many government agencies today work across a number of classified and siloed networks, which can make collaboration extremely challenging, and at times, nearly impossible.

As these organizations attempt to scale, each point solution tool must be configured, managed, troubleshooted, and maintained in order to work with the other point solutions tools within that toolchain. With each duplication, toolchains become even more complex, turning toolchain management into its own time consuming, and cost prohibitive task. These legacy tools and processes oftentimes result in siloed teams, poor collaboration, and increased bottlenecks – ultimately slowing delivery time and halting results.

Adopting a consolidated, singular end-to-end software development platform can enable faster low-side development. This approach allows developers to stay in one interface throughout the cycle and get more work done without having to rely on disparate tools, stitched together to make a disjointed toolchain and inefficient software development cycle. A comprehensive software development platform also enables developers to collaborate within the solution with government leadership and program management, keeping everyone on the same version of the truth. All of this can be accomplished within distributed teams, without needing to be on-site.

Best Practices for Low-to-High Side Development

A typical low-to-high side environment has one team of developers, UX/UI designers, and project managers working on the low side. They are able to build out the initial code, create issues, and collaborate in a non-classified environment. From there, they are able to pass the work over to the classified environment, or high side, within the same platform to finalize the work. By using a consistent toolchain across environments, all relevant context to the code is passed over from the low side, including artifacts, versioning, audit trails, reviews, and testing results.

Typical application segmentation leads to segmented environments that are similar, but built through different processes. Although this works in theory, in practice it is made challenging when each environment has the same parent organization, resulting in redundancies and inefficiencies. In these situations, organizations often double up on work, leading to a loss of productivity and difficulty collaborating – and as organizations grow, and expectations on speedy software delivery grow steeper, the challenges grow as well.

Organizations should seek out end-to-end solutions that have security baked into every step. By integrating security capabilities into the development workflow, developers can be alerted immediately to new vulnerabilities in every developed line of code. Many security professionals have been made to believe that development velocity is the enemy of security. In some cases, this is true. But by bringing security close to the developer, teams likely can produce more secure code even more efficiently than sending code to a third party scanner. A single source of truth allows developers to drive their mission forward while ensuring that security professionals have more visibility into any security risks that may arise throughout the development process.

Enabling Telework Through Low-to-High Side Development

As the effects of the pandemic begin to slow, some agencies have pushed the intelligence community to return to working high-side and in-person once more, despite the new level of efficiency and productivity enabled by telework and low-to-high side development. While the widescale adoption of remote work has been embraced by the private sector, many in the public sector have been hesitant to embrace telework beyond the short-term.

By forcing people to return in person, organizations risk losing out on top talent for the sake of geography. Unlike the years prior to the changes the COVID-19 pandemic necessitated, agencies could seek out the brightest talent from all corners of the country. The return to the office could lead to turnover like that the Great Resignation that occurred in the private sector. Government agencies are competing with all other organizations to win talent, not just other public sector organizations.

Low-to-high side development is a proven method that allows developers to focus on work that drives their missions forward – not managing complex toolchains or completing redundant work. But the greatest shift of all in the next stage of remote work and development is a mindset shift.

It’s critical that government leaders prioritize a mindset of innovation, collaboration, and transparency alongside the adoption of new development processes and technologies – including remote work. The public sector is at a turning point – US Federal, State and Local governments can either revert to the pre-pandemic methods of software development, or identify seamless, real-time development processes that deliver software efficiently and securely, and allow teams to deliver truly innovative solutions.

About the Author

Marc Kriz AuthorMarc Kriz is a Strategic Account Leader of National Security Programs at GitLab Inc., the DevOps platform. GitLab’s single application helps organizations deliver software faster and more efficiently while strengthening their security and compliance.

Since joining GitLab in 2018, Marc has been focused on driving innovative, end-to-end DevOps transformation in the National Security Community. As a technology specialist and trusted advisor to the U.S. Intelligence Community, he works with government agency clients and industry partners to assess and solve complex challenges that support the mission of protecting the nation’s citizens, infrastructure, and data.

Prior to joining GitLab, Marc supported National Security programs at Cloudera, SAS, and HP.  As an early employee at Compaq Computer, Marc was fundamental to launching, building, and leading the company’s successful Midwest channel sales program.

Marc holds a B.A. from Eastern Washington University.

Source: www.cyberdefensemagazine.com