There is no motivation on the defense contractor side to do anything more than satisfy the requirements of the contract. And any R&D spent should result in an interesting demonstration that brings in more business.
Standard operating procedure would need to change so the government entity has security as a requirement, details on how the requirement can be satisfied, and a bunch of money to pay for it.
So tack on $X million for each contract to have a 3rd party audit the code, documentation, and hardware for security vulnerabilities. And an added maintenance contract to fix any future vulnerabilities for the lifetime of the program (20+ years most likely).
From the higher up side, what do you get for all that money spent? No new functionality, no fancy demos. Going to be hard to convince them security is important when they can fund something they view as more critical or more interesting.
EDIT: To answer the question of what can be done, I think it'd require a culture change on the contracting side. The engineering side of the house is mandated to only do work that relates directly to the contract. The hours bid will likely be for the minimum necessary to satisfy those requirements. You can create a new interface, but you won't have the time to do any fuzz testing for example.
I no longer work there, but ~5 years ago you had to get approval per project. I went through the process once and it took over 2 months for them to say "Ok" to working on an open source game.
Depending on the content and nature of your website, I expect the likelihood of approval will vary from difficult to impossible.
There was a recent article in the Chicago Tribune about bringing dogs to work with the following quote:
"What we're trying to create here, it's lofty, open, we bring in lunch, we hire younger people. Part of creating the vibe is not just the space but the amenities. Bring in your dog."
FYI: Something to be aware of is if the company shuts down at the end of the year. You may have to use 2 - 4 days of vacation around Christmas/New Years or take it those days as unpaid.
The cool thing is the other office shuts down for Thanksgiving, but we don’t (inorite?) so instead they give us 3 days to take whenever else we want (pending approval).
You don't need to preach. Use the workflow that makes you the most productive, mention what you're doing to others, and roll with what happens.
As a personal example, I'm not sure anybody had heard of or used Jenkins when I arrived. We now have an automated build, multiple levels of testing, static analysis, etc. I installed it and did some initial configuration, but others took on the majority of the work because they bought into it.
Couple other thoughts
- For CI, mention it to the team, have examples to back up where it helped, and offer to set it up. Shouldn't take too long and it'll pay back as soon as you catch some busted code (yours or theirs)
- While Subversion may not be as highly regarded as Git, it works just fine. So I wouldn't consider that a negative, just a different tool.
One of the concerns I've seen mentioned is that while it is illegal to pay less than the median, that median can be shifted by changing the job title.
In the CNN article, it is mentioned that the most requested position is for "computer systems analyst" which "is also a lower-paying job compared to jobs like software engineer and requires only a two-year degree." It is quite possible that some of those analysts are over-qualified for their jobs and should be making software engineer or senior engineer money.
The Government Acountability Office wrote up a report about 2.5 years ago [1] that does mention limited oversight (page 3). The text:
"Elements of the H-1B program that could serve as worker protections
such as the requirement to pay prevailing wages, the visa’s
temporary status, and the cap itself are weakened by
several factors."
Just because it is illegal, doesn't mean it isn't happening.
Standard operating procedure would need to change so the government entity has security as a requirement, details on how the requirement can be satisfied, and a bunch of money to pay for it.
So tack on $X million for each contract to have a 3rd party audit the code, documentation, and hardware for security vulnerabilities. And an added maintenance contract to fix any future vulnerabilities for the lifetime of the program (20+ years most likely).
From the higher up side, what do you get for all that money spent? No new functionality, no fancy demos. Going to be hard to convince them security is important when they can fund something they view as more critical or more interesting.
EDIT: To answer the question of what can be done, I think it'd require a culture change on the contracting side. The engineering side of the house is mandated to only do work that relates directly to the contract. The hours bid will likely be for the minimum necessary to satisfy those requirements. You can create a new interface, but you won't have the time to do any fuzz testing for example.