Today, public sector organizations face a daunting set of challenges as society adjusts to the current COVID-19 environment. Citizen services that previously depended on in-person processes have been forced to pivot to digital alternatives at an uncomfortable speed. This has meant that development teams have been under immense pressure to not only set up a remote working environment but also deliver apps and services in new and innovative ways. COVID-19 created unprecedented demand overnight for secure, intuitive digital citizen services. Everything from unemployment benefit applications, medical appointments, and education, to planning applications and crime reports had to take place digitally, or not at all. Whether they like it or not, citizens have been forced to adapt and as a result the pandemic has proved a catalyst for permanent change.
Citizens demand ‘Amazon-quality’ apps and services
In the space of a year, society has transformed, and digital-first is now imperative. Citizens need digital-based public services so they can continue their lives in a world that appears unlikely to return to in-person or manual processes. But, unfortunately, now citizens have heightened expectations and are demanding ‘Amazon-quality’ app services. This means that demand for public services application development is outstripping available coding and security expertise. This, combined with the ever-present squeeze on public finances, is creating a shortfall in resources and any proposed investment must guarantee cost-savings and efficiency. Likewise, the regulatory environment continues to evolve and there is mounting pressure to ensure compliance to ever-stricter governance regimes. This is creating a perfect storm, putting extraordinary strain on development teams as they rush to produce code and build and deliver new apps to citizens. Rising demand and high citizen expectations also means application development, delivery, and deployment time frames are shorter than ever, and many organizations are adopting Agile fundamentals and continuous integration and continuous delivery (CI/CD) processes of DevOps to meet the relentless pace.
All too often software code is pushed out with vulnerabilities
However, the consequences are that often code gets released with vulnerabilities. According to statistics
from the Enterprise Strategy Group, 79% of organizations either regularly or occasionally push code to production with known organic vulnerabilities. 54% have pushed vulnerable code to production in order to meet a critical deadline and 81% say production applications had been exploited in the past 12 months. We all know public sector data is a highly confidential and regulated source and any vulnerabilities can cause a weak link further down the line which could be exploited by hackers. Add to this a general shortage in security skills and limited budgets affecting recruitment to developer teams and you can start to appreciate the enormous dilemma that most public sector organizations face right now. And if that wasn’t enough, there are further complexities arising through the usage of open source components and third-party libraries to accelerate software development. This opens organizations up to increased license and operational risk, plus it also expands the attack surface by potentially introducing known vulnerable code into a production build. On top of any organic vulnerabilities introduced in proprietary code, open source risk must be thoroughly acknowledged and addressed.
The pressure to improve software security is everywhere
As an example of the sense of urgency in the U.S, in the recent Executive Order on Improving the Nation’s Cybersecurity
it says, “Within 60 days of the date of this order [May 12, 2012], the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, shall publish guidelines recommending minimum standards for vendors’ testing of their software source code
, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).” For more information, see Sec. 4. Enhancing Software Supply Chain Security. (r) Not only is there a sense of pressure in the U.S., the UK’s National Cyber Security Centre (NCSC)
emphasizes the imperative for intrinsically secure code stating: “Protect the integrity of your source code and other artefacts from day one right through to deployment. Test that you've secured it properly.” Clearly, the public sector worldwide understands the importance of secure software development and deployment.
Taking an automated approach to testing
So, what can public sector software development teams do to overcome these multiple challenges? This is where there is a clear case for Automated Application Security Testing (AST) whereby organizations look to integrate AST solutions directly into software development and DevOps toolsets utilized by developers on a daily basis. Doing this enables development teams to achieve their time-to-delivery objectives without compromising on security. However, this requires a cultural shift from seeing development and security in opposition, to recognizing that a DevSecOps method of incorporating security testing throughout the software development lifecycle (SDLC) – starting at the planning stage - will actually result in faster delivery, especially in a public sector environment which naturally has an increasing focus on security. This in turn will help to identify and reduce vulnerabilities at an earlier stage. Likewise, organizations should deploy integrated code-scanning solutions that completely automate scans directly from Source Code Management (SCM) solutions, CI/CD tools, and Integrated Development Environments (IDEs) enabling developers to increase efficiency, improve security, and measurably reduce delays as well as speed up testing. This will lower the burden on in-house time and skills required to deliver secure applications on schedule.
Seek out projects that deliver high-performing digital services
Of course, this all costs money and, following the emergency expenditure of 2020, funds will be in short supply. But what the crisis has unequivocally demonstrated is that, when all other avenues are closed, digital is the only option. Therefore, public finance managers should seek out and fund projects that deliver high-performing digital services in the drive to build resilience against future disruption. Our new eBook explores the challenges and looks at the opportunities for public sector teams to drive secure digital transformation and deliver value back to the organization. It includes recommendations to help not only drive secure software development but also get that all important buy-in for secure DevOps initiatives. For U.S. Federal and SLED Agencies, you can download this version of our eBook here. For the Public Sector Organisations in Europe and Asia, you can download this version of our eBook here.