Search
START TYPING AND PRESS ENTER TO SEARCH

Blog

Five Security Best Practices Public Sector Organisations Need to Consider

Public sector organisations face considerable pressures when developing software to underpin essential citizen services. Delivery timeframes are short, budgets are tight, skills are scarce, and security is paramount. Many public sector organisations often employ experienced contractors to offset the shortage of in-house skills, but this can bring its own challenges when it comes to ensuring consistent security discipline. Contractors often have their own way of doing things and do not always have the security expertise to match their coding abilities.

Creating a Consistent DevSecOps Environment

An effective solution is to set up the development environment to intrinsically incorporate security testing by deploying a security testing platform that runs in the background of everything developers do, and alerts to instances of vulnerable lines of code. By making security testing intrinsic to development, vulnerabilities are identified earlier and are easier, less costly, and less time-consuming to fix. Adopting a software security testing platform means that, when developers join the team, they are entering an environment that is already built to deliver a level of application security that meets the external compliance requirements and internal risk appetite of the organisation, with the tools in place to support this. When selecting and implementing an application security platform to deliver this assurance, these are the five key things to consider:

1.     Acknowledge there is no silver bullet for application security.

Building secure applications will always be a combination of technology, people, and process. If you view this as buying a piece of software to fix a problem, it will fail. It must be an enabling tool within a culture that sees security as an integral part of DevOps and wants to build software that incorporates cybersecurity and compliance by design. An application security platform will work in partnership with development teams to reduce inherent risk, but the team needs to be on board with the expectations of secure development that will ensure software is safe.

2.     Consider the environment as much as the coders themselves.

This is particularly important in the face of high developer churn when it is hard to secure skills from one project to the next. By creating a structured environment that includes security checks and balances at every stage of the software development life cycle (SDLC) you add value to the developers’ skills and design your own best practice for secure software delivery that becomes the standard, regardless of the different individuals that build software within it.

3.     Choose a solution that integrates fully into CI platforms.

No one sets out to write vulnerable code, but developers often lack empowerment. By choosing a platform that uses automation and provides guidance for developers on how to fix security vulnerabilities, you give greater ownership to developers for the security aspect of their work. It gives them the opportunity to increase their security skills and helps them fix issues in real-time, while keeping the security process overhead minimal. To encourage adoption, the security platform needs to deliver the results of code scans in the way developers want to receive them. Any attempt to introduce new stages or processes will result in pushback, making return on investment slower to achieve. If a developer is using GitLab, for example, the scan results should be delivered back into GitLab. The AppSec platform needs the flexibility to integrate with whichever environment the developer is using.

4.     Understand security risk in the context of your business.

There is no universal index that says a risk that is acceptable to one organisation will be acceptable to another. You need to assess the impact of security risk that’s inherent in the software you build and determine what is acceptable and what isn’t, then develop a risk management framework to overlay on the software security platform with automated rules that alert teams to the introduction of unacceptable risk. It's also important to remember that risk management is a continuous process, not a one-time exercise, and should be subject to frequent review as new risks and vulnerabilities emerge.

5.     Choose a platform with strong compliance credentials, flexibility, and coding best practice.

The security standards applications need to satisfy are often determined by the compliance landscape the organisation operates in. From GDPR to HIPAA, and PCI DSS to Sarbanes-Oxley, there are a raft of regulations – both domestic and international – to consider. The software security platform needs to be configurable to support the fast development of compliant applications. As ever, speed is critical. If the software security platform takes six months to fine-tune for the compliance environment, this delays the time to value and achievement of ROI. Even if the application is not directly governed by regulations, it is best practice to consider lists such as OWASP Top Ten, SANs Top 25, and CERT coding standards. Using a platform with tools that can map to these standards and create custom, organisation-specific templates to support secure and timely software delivery provides a vital level of assurance. Choosing the right software security platform is an important step towards building secure applications without compromising the way developers want to work. As part of a culture that emphasises the importance of security, it creates confidence that public-facing applications are able to protect the personal data of the citizens they serve. To find out more about how the Checkmarx software security platform can help public sector organisations deliver secure applications, fast, download our eBook here.
Facebook
Linkedin
Twitter
Youtube
Envelope
Facebook Linkedin Twitter Youtube Envelope

About the Author

Neil Barton

Neil Barton

Neil brings 20+ years of experience in the IT industry covering hardware, software, services, and managed services to his role at Checkmarx. In the last 10 years he has aligned himself to the evolving challenges of securing the public sector from cyber threats, data breaches, and information management. In that time so much has changed from the types of threats and where they come from, to how organisations fund cyber security initiatives. His current role is to help the public sector become “secure by design” and he leads with strong security principles - from user requirements to go live.
See All Blogs >
Neil Barton

Neil Barton

Neil brings 20+ years of experience in the IT industry covering hardware, software, services, and managed services to his role at Checkmarx. In the last 10 years he has aligned himself to the evolving challenges of securing the public sector from cyber threats, data breaches, and information management. In that time so much has changed from the types of threats and where they come from, to how organisations fund cyber security initiatives. His current role is to help the public sector become “secure by design” and he leads with strong security principles - from user requirements to go live.
See All Blogs >

About the Author

Never miss an update. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.

More Resources to Consider

Introducing AI Query Builder for SAST 
May 31, 2023
Ericsson Sensitive Data Exposure via Trace.axd 
May 25, 2023
Checkmarx Named a Leader in the 2023 Gartner® Magic Quadrant™ for Application Security Testing for the 6th Consecutive Year 
May 23, 2023
A new, stealthier type of Typosquatting attack spotted targeting NPM  
May 9, 2023
Checkmarx is constantly pushing the boundaries of Application Security Testing to make security seamless and simple for the world’s developers and security teams. As the AppSec testing leader, we deliver the unparalleled accuracy, coverage, visibility, and guidance our customers need to build tomorrow’s software securely and at speed.
ABOUT CHECKMARX
REQUEST A DEMO
CAREERS WITH US

Contact Us

Interested in learning more about our unified platform and services?
Get in touch with a member of our team.
Request a Demo
Learn More
Solutions
Industry
Solutions For
Services
Partners
Company
Resources
Community
Linkedin Twitter Youtube Facebook

Terms of Use | Checkmarx Privacy Policy | Checkmarx.com Cookie Policy

©2023 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified

Skip to content