Alan Shimel analyzes the importance of closing the software visibility gap for DevSecOps, exploring issues like SBOMs, traceability, and collaboration among security teams to strengthen both software and supply chain security.

Tackling the DevSecOps Gap in Software Understanding

Author: Alan Shimel

Introduction

Federal agencies and the private sector share a critical challenge: understanding the components and security exposure within their software systems. This article, inspired by CISA’s report on the national software understanding gap, investigates how DevSecOps practices can address these visibility challenges at the technical and organizational level.

The Software Visibility Gap is a National Risk

According to CISA—and echoed by MITRE, NSA, and ONCD—organizations often lack visibility into the software running in mission-critical environments. This issue spans all sectors and is exacerbated by potential supply chain attacks, undiscovered vulnerabilities, and growing software dependencies. The author argues that without end-to-end software understanding, organizations cannot secure or defend their systems effectively.

Why DevSecOps is Pivotal

DevSecOps aims to embed security early and consistently across the software development lifecycle. The article stresses that visibility—knowing what’s in your software, how it’s built, and how it’s deployed—should be integrated from build through deployment, not just checked post-release. Applying DevSecOps principles closes this gap before risks reach production.

SBOMs and Supply Chain Security

The use of Software Bills of Materials (SBOMs) is a foundational step. SBOMs provide a machine-readable inventory of all software components, but true visibility goes further. Organizations need:

  • Component provenance: Tracking the source and maintenance of dependencies
  • Build transparency: Documenting tools and environments used during compilation
  • Deployment traceability: Capturing where, when, and how deployments occur

Such practices enable proactive risk management rather than reactive patching.

Policy and Multi-Stakeholder Collaboration

CISA is fostering collaboration between multiple federal agencies, as well as the open source and commercial sectors. The article notes this move from compliance exercises to transformation efforts, advocating for actionable transparency and trust throughout the software lifecycle.

Challenges and Outlook

Despite strong intentions, the author warns of possible inertia due to organizational change, shifting priorities, and limited resources. Real success depends on persistent leadership, continuous investment, and commitment to open standards and long-term reform.

Conclusion

Achieving end-to-end software visibility and security is a complex, ongoing task. If pursued, it will benefit both public and private sectors, embedding traceability, accountability, and stronger security into DevSecOps workflows. Success, the article concludes, comes from aligning ambition with the will to act.

This post appeared first on “DevOps Blog”. Read the entire article here