Developing Digital Citizen Services: Our Duty to Keep Digital Government Secure

Cybersecurity is top of mind right now as President Biden’s Executive Order sets a new, more urgent tone around the importance of protecting federal agencies and critical national infrastructure from malicious cyberattacks. The imperative to step up cybersecurity is also a high-profile issue in state and local government agencies and educational institutions as they face pressure to digitize citizen services fast in the wake of the COVID-19 pandemic. Is your organization under pressure? Download: How Public Sector Agencies Can Rise to the Challenge of Secure Digital Transformation >>

Multiple Drivers to Digitize

When in-person processes became impossible during the pandemic, the extent to which public sector services relied on them became apparent. Town halls, municipal offices, schools, and colleges were forced to close their doors to the public and the need to provide digital alternatives so citizens could access critical services became clear. As the health crisis abates, the goal of building resilience against future disruption has public sector agencies accelerating digitization programs. As well as keeping public services up and running, there are several other drivers to digitize:

• Building citizen trust: easy, convenient user access helps more people engage with key services. Doing so securely by safeguarding their personally identifiable information (PII) is an imperative to build trust. In uncertain times, when state and local government is playing a key role giving citizens advice and financial support, this trust is incredibly important for the safe functioning of society.
• Cost savings: digitally delivered services are more cost-effective to run, requiring fewer human resources and reducing the need for physical municipal spaces.
• Efficiency gains: by deploying more automation, agencies and educational institutions can increase efficiency and free up employee time to devote to higher value activities.
• Innovation and insight: digital citizen services enable the easy collection of large amounts of data about how such services are used by the population. Agencies can analyze this to better predict future demand and identify key improvements and innovation opportunities in public services.

These benefits are compelling, but achieving them also introduces a number of challenges to application performance and safety:

Citizen Expectations are Driven by Consumer Experiences

The software developers building digital government services face a tough challenge. Their target market are the same customers that use Amazon and they expect the same level of seamless, intelligent, customer-centric services. This means leveraging citizen data to personalize applications and share information between them, so the user has to do as little as possible in order to successfully engage with the service. Learn how Checkmarx and AWS are better together >> Sadly, public sector budgets are nowhere near the same scale as those of major retailers, meaning software developer teams are trying to replicate the same experience with limited resources.

Digitization Introduces More Cybersecurity Risk

On top of the pressure of customer expectations are the increased security risks introduced when in-person processes move online. Many public sector services are highly confidential and might formerly have been conducted through a one-to-one conversation in a private office, but are now transacted through a public-facing website. This is a prime target for hackers looking to steal high value PII such as social security numbers and passport details that users provide to confirm their identity. Ensuring robust identity management and protecting citizens’ personal data is a critical challenge developer teams must address by making sure the software they build is secure. Because if their data is compromised when they engage with government services, users won’t trust them, and all the potential advantages of digital services could be lost. Consequently, developer teams are under huge pressure to achieve a lot with limited resources. Security and functionality are often competing priorities and the clock is always ticking, tempting teams to push fixes closer to delivery deadlines and creating technical debt. That debt has to be repaid one way or another, whether through stressed-out software developers rushing to implement last-minute fixes, or with vulnerabilities being pushed to production and potentially putting systems and data at risk. Public Sector regulators try to avoid this and safeguard public services by mandating code scanning requirements. These derive from sector-specific regulations such as HIPAA , and alignment to standards from NIST, OWASP Top 10, SANS Top 25, and PCI-DSS, among others. Ensuring compliance with these regulations puts a burden on developers and adds to the pressure they face.

Application Security Testing helps Public Sector Developer Teams Deliver Secure Digital Services at Pace

Checkmarx helps Public Sector agencies meet their obligation to protect citizen data without increasing developer stress by providing Application Security Testing (AST) solutions that can be readily applied to the current development process. They offer a number of benefits:

1. Integration into preferred IDEs: developers do not need to change or interrupt their workflows, but receive scan results back into their customary IDE, together with information on best-fix locations for identified vulnerabilities. View Checkmarx integrations here. >>
2. Automation: by automatically initiating code scans at key points during the development cycle, the burden on developers is lifted and security becomes intrinsic to coding. This applies to both proprietary code and open source libraries, resulting in more secure applications.
3. Easier adoption: it is an intuitive solution more readily adopted by developers because it delivers results without impeding their preferred way of working.
4. Reduces the accumulation of technical debt: by scanning for vulnerabilities earlier in the SDLC they are identified sooner, when they are easier and less time-consuming to fix. This reduces technical debt and eases pressure on production deadlines.
5. Improves compliance: Checkmarx provides out-of-the-box compliance with the key standards mentioned above, as well as supporting advanced custom queries that can be tailored for specific use cases.
6. Offers secure coding education: Checkmarx Codebashing offering allows teams to learn-as-they-go, with bite-size on-demand sessions that relate to the actual challenges they are facing in their code. Agencies get more from their existing development teams without having to commit limited time or large training budgets to the issue.

Learn more about Developer Training in the Context of Regulatory Compliance >> In combination, the features above help developer teams raise application security standards to the right level, without disrupting delivery schedules.

Striking a Safe Balance Between Service Personalization and Data Security

Getting application security testing right in terms of speed and rigor is fundamental to the successful digitization of public services. The amount of PII involved in personalizing services to recipients creates a considerable risk if it is not robustly protected at the application level. Application security must be a priority throughout the development lifecycle in order to strike the balance between user experience and data security. To achieve the level of assurance needed to ensure public confidence in digital services, Public Sector agencies should incorporate application security testing fully into their SDLC. By integrating and automating AST, agencies can realize the benefits of digital government, while minimizing the risks. To find out more about the challenges and opportunities of AppSec in the Public Sector, download our eBook here.