Blog DevSecOps U.S. Navy Black Pearl: Lessons in championing DevSecOps
December 12, 2023
8 min read

U.S. Navy Black Pearl: Lessons in championing DevSecOps

Sigma Defense built a managed service software factory environment for the military using GitLab as its DevSecOps platform. Here's what they learned.

securitylifecycle-light.png

Manuel Gauto, director of engineering at government contractor Sigma Defense, is a true DevSecOps champion. As co-creator of Black Pearl, a DevSecOps environment Sigma Defense manages for the U.S. Navy, Gauto witnesses firsthand the power that combining development, security, and operations can have in modernizing and scaling software development.

"If a DevSecOps environment is done correctly - where the tooling, security and compliance, connectivity, and onboarding are all handled as part of the platform – then mission owners can focus on mastering CI/CD in the context of their mission," Gauto said.

Gauto participated in GitLab's DevSecOps World Tour in Washington, D.C., speaking with GitLab Federal CTO Joel Krooswyk about Black Pearl and how consolidating a multitude of software factories into a single managed DevSecOps cloud environment has yielded tremendous results at scale, including:

  • a reduction in software factory setup time from around 6 months to 3 to 5 days
  • a 10x lower cost, decreasing from around $4 million to around $400,000
  • a more secure environment because there is inherent security with Authorization to Operate (ATO)
  • faster onboarding, decreasing from as long as 5 weeks to 1 day

The origins of Black Pearl

A few years ago, the Navy had numerous software factories operating concurrently. Gauto himself was involved in standing a few of them up. "We realized that it wasn't the most efficient approach – duplicative infrastructure in four or five different places that was ultimately doing the same thing," he said.

The team pitched the idea of a single environment that would consolidate cloud infrastructure, address security issues, and provide connectivity. That single environment was named "Black Pearl" and now consists of two offerings: Lighthouse, a DevSecOps infrastructure as code/configuration as code (IaC/CaC) baseline, and Party Barge, a managed shared offering.

Black Pearl’s common software environment with ATO provides commoditized DevSecOps tooling, pipeline component templates, governance/management, logging and metrics, integration infrastructure, cloud automation, and compute resources. The GitLab DevSecOps Platform is a major part of Black Pearl, providing "a one-stop shop" for source code management, tasks, documentation, and security scanning. Gauto said the dashboards and visualization are particularly integral to go/no-go decisions on shipping software.

"GitLab is the kind of platform that really enables us because it is the first time, even internally with our development, that we don't have to jump around to a bunch of different tools – we can just do everything in GitLab," he said. "Having everyone on one platform also enables collaborative efficiency."

GitLab's capabilities support the fast, secure, and cost-effective standup of software factories, according to Gauto.

Want to learn more about GitLab for the public sector? Contact us today.

How to build a strong DevSecOps environment

In the years since Black Pearl was first launched, Gauto has learned a lot about what makes a robust and secure DevSecOps environment. He said it comes down to tearing down silos and establishing a development ecosystem, centralizing security and compliance, providing the ability to easily and quickly onboard talent, and remaining flexible and open to innovation.

Establish a strong development ecosystem

In large organizations, especially within government agencies, software development tends to break into silos. "You'll have units of innovation that struggle to collaborate because they may work in one environment or in one building," Gauto said, adding that sharing anything – code, best practices, tooling, or infrastructure – can be challenging.

"By creating a well-established, well-maintained deployment of tooling, in particular, with GitLab, people can see what other teams are doing and share more readily," he said. "Instead of mailing a CD to some lab somewhere else in the country, DevSecOps teams can just say, 'Let me add you as a developer on my project and you can kick around these repositories.'"

An ecosystem helps aggregate demand in a way that breaks down barriers to infrastructure accreditation. "We can go to the cyber community or certification community and say, 'I'm here representing a large group of users. This is a pain point we all have and we would like to work with you to figure it out,'" Gauto said. For example, allowing people to connect to Black Pearl over the internet from a contractor machine, government machine, or wherever. "It should not be this difficult in an unclassified environment."

With a strong ecosystem, you also can build up your best practices and processes around planning (such as Agile, Scrum, and Kanban), integrating on-site and remote development, gaining authorization for software, and delivering applications to various environments.

Apply security and compliance

When it comes to security and compliance, Gauto said the biggest thing is to be able to see the train coming down the tracks and to be as prepared as possible. "Let's not be surprised and let's not be standing on the tracks when it gets here," he said.

One area where that sentiment is wholly applicable is compliance, where mandates are evolving at breakneck speed. "We want to be prepared to provide the data and the tooling in a format that's ingestible by the right people," he said.

He credits GitLab for helping with this challenge. "GitLab Ultimate lets us just bake compliance in from the start and template a bunch of stuff from the start," which lets customers immediately start running with compliance, he said.

GitLab also supports licensing and ATO scans in a single platform.

Support rapid onboarding of talent

Across the military, there are obstacles to accessing the best DevSecOps talent, including working in buildings with no windows, and having to jump through giant hoops to be able to work on classified networks.

"I think that really limits the talent that can be brought to the table to solve some of the really hard problems we have," Gauto said. For Black Pearl to be successful in supporting the missions, it was imperative to "enable broader access to talent and then build sustainable onboarding workflows."

Within the DoD, there are a lot of difficult and interesting problems that need to be solved but the ability to collaborate across government, industry, and academia can be a limiting factor. "There are a large number of locations where software development is being done and without a common environment to work within, work can be repeated, lost, or otherwise underutilized," Gauto said.

Black Pearl provides an environment for different organizations to collaborate in a way that is accessible. Black Pearl has focused on ensuring that authorized users are able to access the environment from different devices, networks, and locations without onerous access procedures. This approach fosters the development of new ideas and increases the speed to new capabilities.

Enable flexibility and innovation

The military has so many different delivery environments – from submarines to aircraft carriers – that Black Pearl has to be incredibly flexible. "We enable everyone to manage their own kingdom and focus their efforts on pieces that are specific to their problem space," Gauto said. "We know there's not one pipeline to rule all. So we provide the toolkit and let everyone tailor the solution to what they need instead of saying, 'you have to do software development this way and you have to deliver it this way.'"

Black Pearl encourages customers to have a sense of ownership over their environments, using the building blocks of GitLab Ultimate, including CI/CD pipelines, scanning, and testing. "We want them to get to the point where they are ready to use all the tools that we offer," Gauto said. They also educate the customer so that the customer can drive their own requirements rather than Black Pearl having to pitch functionality to them.

For example, the Black Pearl team closely collaborates with the developer team for The Forge, a software factory for the Navy's Aegis integrated weapons system. "One day The Forge team said, 'We feel like we should be scanning our source code for secrets before we check it in.' Exactly."

He also wants to be careful to not stifle innovation or overly restrict customers. "Not everything is a containerized business application that goes to the cloud," he said. He instructs his team members to "make sure we have a strategy for providing flexibility for people that are doing something weird, because the people that are doing something weird are usually doing something cool."

Artificial intelligence and machine learning will be a test of this philosophy. "There are going to be some novel tools and some novel data classifications that we are going to have to iterate on quickly," he said.

The proven thesis

Gauto is proud of Black Pearl's tremendous adoption rates, which have grown 400% over the past 12 months, and believes it is proof of the concept. "The Black Pearl thesis of a managed service that enables people to quickly start solving their own problems without worrying about the 'boring' stuff can work and is valuable," he said.

Learn more about GitLab for the public sector.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert