Defense Unicorns: Bridging the Gap Between National Security and Open Source

Defense Unicorns, a pioneering organization at the intersection of technology and national security, is on a mission to enable continuous software delivery for national security purposes. The company, led by individuals like Austen and Wayne, specializes in creating repeatable, open source solutions to address the technical challenges faced in software delivery and national security. Their focus is on building portable, open, and secure software capabilities that can be deployed across various environments, including submarines, rockets, disconnected servers, and edge devices, to enhance the speed and efficiency of delivering capability to the front lines and reducing sustainment costs.

One of the key aspects that sets Defense Unicorns apart is their commitment to open source. All of their core technology is open source and is released under an Apache 2.0 license. This approach not only fosters wider adoption and better security practices but also allows for faster learning, broader community engagement, and access to innovation from diverse perspectives. Open source also serves as a powerful recruiting and branding tool for the company, attracting top talent interested in their work at the code level.

Zarf, one of Defense Unicorns' flagship projects, plays a crucial role in their efforts. Zarf enables the deployment of cloud applications into air-gapped or egress-limited environments, providing a solution for disconnected locations or scenarios where internet access is limited. This innovative technology simplifies the process of packaging and deploying applications, making it easier to move software capabilities to air-gapped environments while ensuring supply chain security and streamlining the deployment process.

In addition to Zarf, Defense Unicorns maintains several other projects, such as Pepper, Leapfrog AI, Lula, and UDS, each addressing specific aspects of the company's mission. These projects showcase the company's dedication to solving complex challenges in the national security space through open source solutions. As they continue to expand their presence in the open source community, Defense Unicorns is also actively partnering with organizations like OpenSSF to further contribute to the open source ecosystem and enhance supply chain security in the defense market.

We sat down for a chat with Austen and Wayne from Defense Unicorns to talk about their mission and connection to open source technology.

Introduction of Defense Unicorns

Austen: Defense unicorns in particular, we enable continuous software delivery for national security purposes. We help our mission heroes deploy software capabilities wherever they need to go, whether that be submarines, rockets, disconnected servers, edge devices, you name it. The mission really needs to be portable and open and secure in order to increase the speed in which we can deliver capability to the front lines and reduce sustainment cost of these rather large programs. We specialize in particular in air gap, which is some sort of egress, limited or disconnected environment, and really cybersecurity, because those are the entry barriers we see to delivering for national security purposes. We build our solutions in an open way, and really what that allows us to do is bridge some of the brightest minds in the open source community and really the software community in general and the national security community and really building that bridge is a lot of what we do.

Roles at Defense Unicorns

Austen: I lead the product portion of the company to create repeatable, open source solutions that aid in the technical challenges that we see for software delivery and national security. I guess the last point I'll make is everybody is impacted by public services no matter what you do in life, right? Healthcare, finance, defense, whether you realize it or not, we all are users of these public services, and so we all have a vested interest in making them better in our life, more effective and more efficient. And that's really what defense unicorns helps the government do.

Wayne: I'm the technical lead for the ZarF team. So I work on that project and kind of guide its technical direction as well as building its open source community and managing internal asks from the company direction. And so Zarf is defense Unicorn's most mature project. So we're kind of a lot of the core of a lot of things that we do at the company

Hardware and Software Preferences

Austen: All of our core technology that we develop is open source and under an Apache 2.0 license, if you go to our GitHub page, which is just defense unicorns, you'll see all of the main projects, including Zarf, which Wayne just mentioned pinned to the top. There's a couple of other projects out there, too. Open source is pretty unique for us and what we believe is to be one of our superpowers. To me, the benefits really include a lot of wider adoption, better security practices. It allows us to learn faster because there's more people using and giving us feedback.

Wayne: I use a system 76 Darp8, the darter pro. So it's the core i-7 1260P 64 gigs of RAM model. A lot of the company uses Macs. That's also pretty common in the space as well. But we kind of had a split between those that kind of go the Linux route or those that go the macOS route. I have been using Macs for a long time. When I was in the air force, that was some of our dev machines were those I don't like dealing with some of their quirks. There's weird things when you're doing local development where if you're running containers, you have to have a vm behind the scenes. There's extra layers of networking or some other machine that you have to deal with. And it's nice to be able to hit the raw system. And I can deploy large multi node clusters with different agents and all that stuff and have it running on my laptop, all self contained, without any other stuff. And that's really nice. So that was kind of why I wanted to go Linux.

The reason why I chose system 76 is that because I'm working off of it. I wanted support from a company that backs it. And then I also wanted native firmware support so that the actual hardware and Linux work together. And I didn't have to switch to Windows to do BIOS updates or something weird like that. And so system 76 was one of the options that we have at our company. And that was kind of why I chose it.

Zarf and Its Capabilities

Wayne: Zarf allows you to take cloud applications and then move them into air gapped or kind of egress, limited locations or places where you want to disconnect from the Internet for a period of time. So basically what it does is it allows you to take an app, could be like Nextcloud or Matrix or some sort of thing that runs on a server like in Kubernetes, is what it's focused around. And then it allows you to take the charts, manifests, the things that deploy that application and then find its configuration as well as its images or repositories or other files that you may need and take all of those things and put it into a single artifact that you can bring with you wherever you need it to be.

Zarf's Deployment Capabilities

Wayne: The other thing that it brings, as well as kind of that mirroring capability is it allows you to stand up services on just a Linux machine. So all it needs on the air gap side is just a Linux box. And by default with the init package that we provide, all you need is Linux and system D. And then Zarf can handle the initialization of a k three s cluster, your container registry, a git repository, and then any apps you want to install on top of it. So it can basically light an entire environment from not much. And then you can customize the init package and obviously your own packages as you need for whatever environment you're running in. And if you already have those resources, will be able to use those too. But it's very flexible in kind of how you set up those environments.

Importance of Zarf Implementation

Wayne: Basically, it's a lot easier than trying to roll your own way of doing those things. A lot of the things that we focus on are around supply chain security. So there's built in sift software bill materials for the things that brings over. So it'll scan all the images. If you bring over executable files, it'll scan those too, and it'll bring all that stuff together so you don't have to do that manually. It supports package signing with six door cosign so you can have some cryptographic security around the packages you're bringing over. And then we also focus heavily on user experience and making it just a very simple process to create a package, initialize whatever cluster you're deploying into and then deploy packages, basically three commands. So Zarf package create, Zarf init, Zarf package deploy and you have everything up and running. And that's a big difference from rolling your own. A lot of people who are solving this problem, they're doing it with bash scripts or they're trying to manually edit manifests. Just an example of one of the problems you might run into is your image references will be likely pointing to different domains.
If you're pulling an image from Docker hub, say Nginx, and then you're trying to bring that over to an air gap, the domain docker hub is not likely to exist there. So how do you rewrite that? A lot of people would manually do that, but Zarf has an agent that it can deploy into the cluster that will handle all that stuff for you. So it does a lot of this sort of behind the scenes work to make what are traditionally online deployments work offline, seamlessly.

Platform One and Its Significance

Austen: Platform one is one of the things that's kind of near and dear to my heart. And honestly, several people at defense unicorns in particular. There was a lot of us that were around the inception and idea of that kind of effort taking off. And honestly, it was an effort that was built on the backs of several other, what the department of defense calls software factory efforts like Kessel Run that came before it. And there were others too. But I think it's probably important to start with the problem statement before what it was trying to do. What a lot of us had saw after serving for a decade or so, is that as we went to each stop along our transition to different programs, is that kind of what I mentioned earlier. What was typical is you would kick off the procurement process, which takes a long time in itself to buy something from a vendor, and you would get a blank VPC from Amazon Web services or some bare metal somewhere. And then the idea was, hire a team through a services contract from a known prime contractor and just start building the software from the secure OS layer and up.
And what you realize is that takes 18 months or more to deliver any capability and millions of dollars. And when you look across these programs, now that kind of software has eaten the world. 80% of that tech stack was the exact same software, but it's 30 different vendors recreating the wheel every single time. And it's just an incredible amount of waste when it comes to both time and people's opportunity, cost of their intellectual ability, quite frankly, and also just straight up taxpayer dollars like invoicing and paying bills to these services contracts. And so Platform One, really, the idea of many people coming together was really a self formed team of many people across the country at the time while in active military service. And what we said is like, hey, instead of starting with 5% of a commodity of AWS or whatever else, why don't we try to commoditize like 80% to the tech stack, so that when you start a new program or you're migrating a program to the cloud or whatever it may be, you have 80% of the solution done. It's not 100% right, because there's too much customization kind of at certain layers of the tech stack, but it is 80% maybe instead of five.

Linux Foundation Training Course

Austen: Rob Slaughter, our CEO, did a great job with this. I think what he realized is one of the greatest barriers of success for these it projects and national security is just lack of education. And that's not a knock against people at all, because the people making decisions are typically experts in business operations or procurement or even like these niche defense missions, right? Like literally putting weapons in a specific location at a specific time, or cyber operations or space operations. It's impossible to expect them to also be highly trained software engineering experts on Kubernetes, for example. And so how do you get them some level of top wave knowledge so that they understand the why behind things? So they can ask the right questions and contract the right products and services. And so what Rob kind of led the initiative was he partnered with Linux foundation to create a completely free course. And the link we had provided to you earlier, and I think it was even in the kind of document you sent out earlier today, so people can look on linuxfoundation.org and just search for "devsecops for managers" and it'll come up, it's completely free.
But it was really targeted for what I'll call those key stakeholders or decision makers that didn't normally come from a software background but find themselves building or acquiring or developing a system that is software native. And honestly, I think everybody on this call realizes that in today's world, any new endeavor is going to be a software defined endeavor. That's kind of where it starts and ends. So we're just trying to help educate people so they can make better buying decisions no matter what that is in the community.

Other Projects at Defense Unicorns

Wayne: Yeah, so we have lots of other projects that we maintain. It's not just ZarF. We also have Pepper, leapfrog AI, Lula, as well as UDS, the Unicorn Delivery Services that we're building out behind the scenes. So you can definitely check those out. Pepper is basically a kind of validating and mutating webhook for Kubernetes. So kind of like the Zarf agent that I described before, Pepper can replace that, but also do a lot more. It's very powerful and has a fluent based API. Lula does policy validation, which is useful for a process called authorizing a system and a risk management framework within the Department of Defense, but it's useful for the security compliance side of things. And then Leapfrog AI is our air-gapped AI solution that provides a couple of different capabilities. Using ZaRF under the hood to deploy those capabilities to air gaps and then UDS is bringing all those things together into a single capability.

Impact and Purpose of Defense Unicorns

Wayne: Us being open source means that we can actually put our software in the hands of those operators directly and then get feedback from them directly and allow them to also solve their own problems. We've gotten lots of prs from people within the community. Some of them I know, some of them I don't, where they're actually going in. They're fixing their problems, and they're being able to make those mission impacts and move forward. So that's something that we really strongly believe in as a company, and it's part of the reason why I'm here, why Austen's here and so many of us are here.

Through their commitment to open source and their innovative projects, Defense Unicorns is not only bridging the gap between national security and open source but also empowering users within the defense community to contribute directly to the development and improvement of the software they rely on. Their story is a testament to the transformative power of open source in addressing critical challenges and driving innovation in the national security space.


Like what you see?

Share on Social Media