I'm interested in hearing what DevSecOps tools federal and government agencies are using for things like SAST, DAST, SCA, IaC, and container security. There's definitely a lot more restrictions in this space, so I'd love to know what works well and what doesn't. Thanks for any insights!
2 Answers
Having spent over a decade in the federal space, I can say it really varies by branch and department. Generally, they use COTS (Commercial-off-the-shelf) solutions rather than proprietary hardware. Software, however, depends on the application. Popular tools include several Kubernetes distributions and standard CI/CD tools, as well as SAST and DAST tools. Big names for cloud services include Azure, AWS, and GCP.
Most DOD folks probably can't share much due to clearance policies. However, commonly used tools might include Snyk, Aqua, and SonarQube for CI stages. I've also seen Kyverno used in Kubernetes and maybe something like Tfsec for Terraform.
I came across some info online saying that Linux is widely implemented across US supercomputers. It's definitely a big player in many infrastructures.