SEI.blog.graphic_2023.jpg (116.35 kB)

Acquisition Archetypes Seen in the Wild, DevSecOps Edition: Clinging to the Old Ways

online resource

posted on 2023-12-18, 17:43 authored by William NovakWilliam Novak

The SEI conducts independent technical assessments (ITAs) periodically for any programs that request them, looking at both technical and programmatic aspects. Such requests often come from either programs that are experiencing challenges with delivering their systems or from external stakeholders to check on the progress that is being made. In the course of performing such an assessment, the ITA team may interview as many as 50 to 100 people from the program mangement office (PMO) staff, contractor staff, users, and other external stakeholder organizations, all under assurance of anonymity. Interviewees generally give very open and candid responses, giving the team insight into what is actually happening on a program and the ability to gain a deep understanding of the pressures and incentives under which people are operating. One notable aspect of such assessments is that similar problems arise across separate and dissimilar programs. The key questions that arise when conducting assessments of many different programs are “Why do some of these adverse behaviors keep happening across entirely different programs?” and “Is there a way to stop them?” In this blog post, I discuss the recurring problem in software acquisition and development of what I call clinging to the old ways. I describe the behavior in the context of a real-world scenario and provide recommendations on recovering from and preventing future occurrences of this problem. Future posts in this series will explore other recurring problems.

History

Publisher Statement

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

Copyright Statement

Usage metrics

Keywords

DevSecOps

Licence

In Copyright

Exports

RefWorks

BibTeX

Ref. manager

Endnote

DataCite

NLM