Search
START TYPING AND PRESS ENTER TO SEARCH

Blog

Five Security Best Practices Public Sector Organisations Need to Consider

Public sector organisations face considerable pressures when developing software to underpin essential citizen services. Delivery timeframes are short, budgets are tight, skills are scarce, and security is paramount. Many public sector organisations often employ experienced contractors to offset the shortage of in-house skills, but this can bring its own challenges when it comes to ensuring consistent security discipline. Contractors often have their own way of doing things and do not always have the security expertise to match their coding abilities.

Creating a Consistent DevSecOps Environment

An effective solution is to set up the development environment to intrinsically incorporate security testing by deploying a security testing platform that runs in the background of everything developers do, and alerts to instances of vulnerable lines of code. By making security testing intrinsic to development, vulnerabilities are identified earlier and are easier, less costly, and less time-consuming to fix. Adopting a software security testing platform means that, when developers join the team, they are entering an environment that is already built to deliver a level of application security that meets the external compliance requirements and internal risk appetite of the organisation, with the tools in place to support this. When selecting and implementing an application security platform to deliver this assurance, these are the five key things to consider:

1.     Acknowledge there is no silver bullet for application security.

Building secure applications will always be a combination of technology, people, and process. If you view this as buying a piece of software to fix a problem, it will fail. It must be an enabling tool within a culture that sees security as an integral part of DevOps and wants to build software that incorporates cybersecurity and compliance by design. An application security platform will work in partnership with development teams to reduce inherent risk, but the team needs to be on board with the expectations of secure development that will ensure software is safe.

2.     Consider the environment as much as the coders themselves.

This is particularly important in the face of high developer churn when it is hard to secure skills from one project to the next. By creating a structured environment that includes security checks and balances at every stage of the software development life cycle (SDLC) you add value to the developers’ skills and design your own best practice for secure software delivery that becomes the standard, regardless of the different individuals that build software within it.

3.     Choose a solution that integrates fully into CI platforms.

No one sets out to write vulnerable code, but developers often lack empowerment. By choosing a platform that uses automation and provides guidance for developers on how to fix security vulnerabilities, you give greater ownership to developers for the security aspect of their work. It gives them the opportunity to increase their security skills and helps them fix issues in real-time, while keeping the security process overhead minimal. To encourage adoption, the security platform needs to deliver the results of code scans in the way developers want to receive them. Any attempt to introduce new stages or processes will result in pushback, making return on investment slower to achieve. If a developer is using GitLab, for example, the scan results should be delivered back into GitLab. The AppSec platform needs the flexibility to integrate with whichever environment the developer is using.

4.     Understand security risk in the context of your business.

There is no universal index that says a risk that is acceptable to one organisation will be acceptable to another. You need to assess the impact of security risk that’s inherent in the software you build and determine what is acceptable and what isn’t, then develop a risk management framework to overlay on the software security platform with automated rules that alert teams to the introduction of unacceptable risk. It's also important to remember that risk management is a continuous process, not a one-time exercise, and should be subject to frequent review as new risks and vulnerabilities emerge.

5.     Choose a platform with strong compliance credentials, flexibility, and coding best practice.

The security standards applications need to satisfy are often determined by the compliance landscape the organisation operates in. From GDPR to HIPAA, and PCI DSS to Sarbanes-Oxley, there are a raft of regulations – both domestic and international – to consider. The software security platform needs to be configurable to support the fast development of compliant applications. As ever, speed is critical. If the software security platform takes six months to fine-tune for the compliance environment, this delays the time to value and achievement of ROI. Even if the application is not directly governed by regulations, it is best practice to consider lists such as OWASP Top Ten, SANs Top 25, and CERT coding standards. Using a platform with tools that can map to these standards and create custom, organisation-specific templates to support secure and timely software delivery provides a vital level of assurance. Choosing the right software security platform is an important step towards building secure applications without compromising the way developers want to work. As part of a culture that emphasises the importance of security, it creates confidence that public-facing applications are able to protect the personal data of the citizens they serve. To find out more about how the Checkmarx software security platform can help public sector organisations deliver secure applications, fast, download our eBook here.
Facebook
Linkedin
Twitter
Youtube
Envelope
Facebook Linkedin Twitter Youtube Envelope

About the Author

Neil Barton

Neil Barton

Neil brings 20+ years of experience in the IT industry covering hardware, software, services, and managed services to his role at Checkmarx. In the last 10 years he has aligned himself to the evolving challenges of securing the public sector from cyber threats, data breaches, and information management. In that time so much has changed from the types of threats and where they come from, to how organisations fund cyber security initiatives. His current role is to help the public sector become “secure by design” and he leads with strong security principles - from user requirements to go live.
See All Blogs >
Neil Barton

Neil Barton

Neil brings 20+ years of experience in the IT industry covering hardware, software, services, and managed services to his role at Checkmarx. In the last 10 years he has aligned himself to the evolving challenges of securing the public sector from cyber threats, data breaches, and information management. In that time so much has changed from the types of threats and where they come from, to how organisations fund cyber security initiatives. His current role is to help the public sector become “secure by design” and he leads with strong security principles - from user requirements to go live.
See All Blogs >

About the Author

Never miss an update. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.

More Resources to Consider

The Hidden Supply Chain Risks in Open-Source AI Models 
November 27, 2023
Checkmarx + Vulcan Cyber: Enabling Customers to Mitigate AI Vulnerabilities
November 21, 2023
SCS_vision_blog
Attacker – hidden in plain sight for nearly six months – targeting Python developers 
November 16, 2023
Python obfuscation traps
November 8, 2023

Contact Us

Interested in learning more about our unified platform and services?
Get in touch with a member of our team.
Request a Demo
Learn More
Solutions
Industry
Solutions For
Services
Partners
Company
Resources
Community
Linkedin Twitter Youtube Facebook

Terms of Use | Checkmarx Privacy Policy | Checkmarx.com Cookie Policy

©2023 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified

Skip to content