U.S. Courts working to automate patching

As the U.S. Courts move from a physical to a virtual infrastructure, officials plan to integrate tools that will automate the commit, scan, build and deployment of patches to its systems.

Peter Chin, the division chief in the Case Management Systems Office at the U.S. Courts, told a crowd at the Oct. 31 Dcode Demo Day that the agency had amassed significant technical debt from patching and upgrades. So now the agency is building a continuous identification and continuous delivery (CICD) pipeline in a private cloud to automate the testing process.

Moving into a private cloud – with its added virtualization – was an important first step in making this process a reality, Chin told GCN, which was a sponsor of the event.

While the agency was moving to the private cloud “it was an opportunity to build the CICD pipeline because once we did the migration then we wanted to find a way to leverage virtualization and automation,” he said. “So we started looking at what tools are available to identify if there are patch vulnerabilities, any kind of vulnerability that is security-related.”

The cloud also provides the scalable computing power the CICD process needs. The scans happen any time a developer submits code to the larger code repository, so hosting the project in the cloud allows developers to use what resources they need, Chin said.

There are several tools that will scan applications for potential vulnerabilities. Chin said his office is looking at ways to “push patches proactively” and automatically distribute software updates. The combination of automatic scanning and distribution of fixes will make for a “powerful pipeline,” he said. That pipeline will monitor a legacy system developed in Java, some web services, a database, a Linux operating system and middleware.

This new way of finding potential security issues will move scanning from the end of the development process to the beginning, allowing problems to be fixed early.

“The old way was whenever we wanted to release a new version of software you would go through the development and testing process of it and then at the tail end there would be a security scan, and the security scan identifies all your risk levels,” Chin said. “And the only option at that point -- because it's at the tail end of the schedule -- is to accept the risk or not release at all.” The latter choice wasn't really a practical option, he said.

Teams at U.S. Courts are already working on building the pipeline. They’re using an agile framework consisting of three sprints within a “program.” This first program will end with the testing processes being automated. The next one will focus on “evolving and growing the pipeline.” There isn’t a firm deadline for when the pipeline will be complete, Chin said.

Note: This article was updated on Nov. 15 to clarify Chin's remarks on automated patching.