Tetra Tech’s Branko Primetica Discusses the Importance of Integrating Security with Development and Operations
Branko Primetica has more than 20 years of experience as an information technology (IT) executive in process and performance improvement, DevSecOps, technology modernization, and artificial intelligence. Branko has supported multiple U.S. federal agencies with these initiatives, resulting in more than $300 million in cost savings due to integration of emerging technology and consolidation and modernization of redundant IT systems.
A thought leader and published author, Branko has been recognized for his achievements and expertise with multiple awards, including the Rising Star Award and the Fed 100 Award. He received a certification of recognition from American Council for Technology and Industry Advisory Council (ACT/IAC) and was named a finalist for the Northern Virginia Technology Council’s Chief Technology Officer (CTO) Innovator of the Year Award. Branko also has co-authored various industry-focused publications, including the Practical Guide to Federal Service Oriented Architecture, the Federal Cloud Computing Strategy, the U.S. Government’s IPv6 Transition Roadmap, and the Federal Risk Authorization Management (FedRAMP) guidelines. Additionally, he has served as a co-lead for the National Defense Transportation Association’s Mentoring Program, served on the U.S. Cloud Computing Commission, and has consulted for global forums on current IT trends (including the U.S. Congress, Asia-Pacific Economic Cooperation (APEC), and the governments of Serbia and Poland).
What led you to your current position at Tetra Tech?
I started my career as a management consultant with a college degree in political science and history. My first two projects involved complex business process re-engineering efforts to streamline and modernize mission-focused functions at the United States Patent and Trademark Office (USPTO) and Department of Defense (DoD). I realized early on that the “modernization” part was enabled by technology—the two go together. The further I got into consulting, the more involved I became with emerging technologies, their overall function, and how to architect it so that it integrates seamlessly into a client’s environment. This also allowed me to grow our business portfolio across the federal public sector—even working on government-wide transformation efforts.
How does DevSecOps ultimately lead to more secure applications and faster cloud deployments?
DevSecOps stands for the integration of development, security, and operations, with all three teams working together to deliver a solution in an agile manner. DevSecOps incorporates lean practices, such as continuous integration and continuous delivery, that include frequent code check-in, version control, test automation, and continuous feedback. The results of this integration include bigger resource savings, higher quality products, and a quicker deployment time.
The integration of security teams into the development and operations processes ensures that security is considered from a project’s inception. DevSecOps involves creating a “Security as Code” culture with ongoing collaboration between release engineers and security teams. This means that security protocols are baked into the development process rather than added as a separate step and that security testing is automated in most cases. The benefits include greater agility for security teams, enabling them to respond to changes rapidly, and early identification of vulnerabilities in code.
What are some of the major challenges and complexities facing DevSecOps projects today?
The biggest challenges facing DevSecOps today are not technical but cultural. Most organizations are used to developing IT systems in a traditional “waterfall” approach where development, security, and operations are undertaken by three separate teams working in silos. This results in a long-established “dev versus ops” mentality that now needs to change because it is inefficient and takes too long to achieve meaningful results.
Another challenge faced by public sector clients is defining a standard DevSecOps process and toolkit at the enterprise level. While there are DevSecOps projects across the government, they are mostly IT-project specific, using different tools and frameworks even though they might be within the same organization. This makes overall IT procurement, governance, and management very difficult.
Finally, many organizations tend to neglect test automation while focusing on continuous integration (CI) and continuous delivery (CD) deployments. Continuous testing is key for DevSecOps success.
What changes have you seen in DevSecOps and cybersecurity during your career?
The fact that DevSecOps has come about and that cybersecurity is becoming an integral part of the IT development and operations process from a project’s onset is a hugely positive change. Security used to be an afterthought and it now has a seat at the table.
Proactive cybersecurity, rather than reactive cybersecurity, is also a positive change. Continuous security testing throughout the development life cycle and continuous monitoring once the IT system is in operation ensures that vulnerabilities and risks are effectively managed in a timely manner.