►
From YouTube: Speed to Mission Government Security Short
Description
Abbreviated version of the "AUS_S2M_Govt Delivery w/o Compromising Security_TRW" video, edited for the CyberSmart Virtual Summit July 2020.
Original video: https://gitlab.slack.com/files/UKY17P3P0/F016EPYSBK2/o_compromising_security_trw.mp4
A
First
I
want
to
tell
you
a
couple
of
stories
about
how
government
is
using
it
lab
to
deliver
cross-domain
solutions,
that
is,
transferring
data
from
the
low
side
to
the
high
side
of
networks
and
our
first
story
give
not
to
work
with
a
partner
who
directly
supports
a
US
government
mission
program.
They
created
an
internship
project
that
allowed
turns
who
were
uncleared
to
collaborate
on
an
unclassified
instance
of
gitlab.
The
instance
was
used
for
development
and
collaboration
for
that
program,
with
the
results
being
moved
up
to
the
customer
domain
on
the
high
side
for
deployment.
A
This
collaboration
demonstrated
speed
to
mission
value
within
just
a
single
summer.
Using
this
framework,
and
because
of
this
new
capability,
the
customer
was
able
to
continue
to
use
those
interns
throughout
the
following
year.
Solving
the
challenge
of
not
being
able
to
hire
enough
cleared
people
for
the
project.
This
effort
applied
the
dev
Sec
framework,
which
wrapped
security
processes
around
the
unclassified
effort,
gitlab
served
as
the
unifying
technology
that
put
everyone
on
the
same
page
and
enabled
seamless
communication
and
our
second
story.
A
Another
customer
is
using
gitlab
to
enable
software
development
and
automated
testing
on
the
low
side
across
multiple
projects.
Each
project
is
automatically
exported
and
sent
to
the
high
side
on
a
daily
basis
where
each
is
then
subsequently
imported.
On
the
high
side
instance
of
gitlab,
the
full
history
of
the
project
is
accessible
to
the
high
side
teams,
so
that
those
teams
can
see
all
the
discussions.
The
comments,
the
code,
the
reviews
and
all
the
other
data
related
to
the
project.
They
get
the
full
context.
A
Some
teams
even
fork
the
repository
and
continue
developing
on
the
high
side.
This
allows
agency
teams
to
build
more
applications
faster,
as
they
can
assign
low
code
developers
to
tasks
that
allow
for
quicker
maximized
pool
resources
and
lower
the
overall
organization
cost.
The
low-side
developers
output
can
then
be
exported
to
the
high
side
to
complete
the
final
product,
while
leveraging
fewer
classified
developers.
A
Github
recently
completed
validating
a
hardened
implementation
that
will
assure
agencies
all
types
of
fully
secured:
a
vulnerability,
free
implementation
from
regulated
industry,
clients
like
in
finance,
healthcare,
energy,
transportation,
commercial,
all
across
two
government
agencies
in
defense.
This
is
going
to
provide
a
high
level
of
trust.
The
dev
SEC
cops
lifecycle
and
it's
a
key
component
of
the
DoD
software
factories
hardening
ensures
a
minimized
risk
profile,
enables
more
secure
application
that
are
able
to
be
deployed
more
quickly
and
supports
the
continuous
authorization
process
we
talked
about.
A
This
is
going
to
go
into
the
DoD
artifact
repository
and
it
will
allow
duty
agencies
to
more
quickly
create
those
applications
we
discussed
now
to
fulfill
the
DDOT
requirement.
Software
must
meet
standards,
including
install
and
completely
on
its
own,
and
not
reaching
out
to
the
internet
to
acquire
any
additional
libraries
or
files,
as
well
as
be
able
to
perform
rigorous
vulnerability,
scanning
air
gap
networks,
which
are
also
known
as
offline
environments
or
limited
connectivity,
environments
or
sometimes
local
area
networks
or
internets.
A
These
environments
have
physical
barriers
or
secure
policies
like
firewalls
that
prevent
or
limit
internet
access
get
labs.
Secure
scanners
need
internet
connectivity
to
download
updates
and
the
latest
signatures,
so
in
gitlab
1210.
It
makes
us
substantially
easier
to
access
these
scanners
when
running
self-hosted,
gitlab,
altima
instances
offline
or
with
limited
connectivity.
This
is
an
evolving
capability
and
we're
going
to
continue
to
add
support
for
offline,
secure,
scans
and
future
releases
by
offering
support
for
additional
languages
tools
and
use
cases.
A
I
want
to
leave
you
with
some
more
in-depth
resources
that
you
can
scan
here
and
download
to
share
with
your
colleagues.
So
you
can
solve
some
of
those
challenges
that
you're
facing
right
now.
First,
you
can
learn
more
about
how
the
tool
chain
attacks
and
feeds
delivery
and
how
you
can
stop
paying
for
it.
In
the
speed
to
mission
white
paper,
you
can
discover
step-by-step
best
practices
for
government
agency
transformation
and
modernizing
government
IT
through
deficit
gobs.
A
You
can
get
specific
advice
on
exporting
and
importing
across
enclaves
in
our
cross-domain
deficit
gaps,
low-to-high
collaboration,
white
paper,
and
you
can
learn
more
about
reducing
risks
and
accelerating
network
security,
authorizations
for
applications
and
def
sec
ops,
how
proactive
security
integration
reduces
your
agency's
risk
and
vulnerability?
And
finally,
irony
she
visit
the
website
of
the
office
of
the
chief
software
officer
of
the
United
States
airports.
To
learn
more
about
many
of
the
initiatives
we
discussed.