US state and local governments and education departments—SLED, collectively—have digitized rapidly in the last few years. Now, in municipalities across the country, citizens can pay taxes and fees, register for libraries, register to vote, access educational services, and much more, all online. However, this huge technological transformation is not without challenges, including budget restraints and cuts. Moreover, this revolution in access to citizen services has perhaps come at the cost of secure infrastructure and agile strategic planning because the focus is on digital service functionality.
To this point, the National Association of State Chief Information Officers (NASCIO) recently published its top 10 priorities. Cybersecurity and risk management topped the list, advocating the need for CIOs to establish strong governance, budget, and resource requirements. Fifth on the list were budget, cost control, and fiscal management strategies. Optimization and the need to centralize and consolidate services, operations, resources, and infrastructure were also cited as priorities.
All this is easier said than done. The services offered online from state to state and county to county can vary significantly in terms of revenue and legislative structure—one size does not fit all. All agencies have budgetary restrictions and shortages, and the pandemic compounded this, forcing them to divert budgets to meet immediate security requirements and secure employee devices. The federal government has provided funding through the Coronavirus Aid, Relief, and Economic Security (CARES) Act to offset this, but the relief seems to be slow in coming, causing a squeeze on investment.
The priority now is for agencies to look at the expanded attack surface and identify how they can better secure data and apps without spending money they don’t have. It is commonly known that most vulnerabilities originate in apps, but with multiple pressures, small budgets, and departments fighting for resources, the need for application security often gets overlooked.
Two common high-cost scenarios play out from this kind of exposed DevOps environment in SLED agencies. In the first, security is not prioritized or optimized, so expensive breaches occur. In the second, SLED agencies prioritize security, but they do it in financially taxing ways that may include:
- Procuring point products with various usage and licensing models, driving up costs
- Developers spending too much time on vulnerability remediation, slowing down time to market and increasing development costs because:
- Point products don’t talk to one another, creating a mess of vulnerability results to sift through
- Developers are pulled out of their development environments with a lack of automation and integrations
- The tools don’t help developers solve problems and learn how to code securely
Ransomware Is Costing the Public Sector
Attacks on SLED targets have become more frequent and financially damaging. The drivers of these attacks are often pervasive ransomware strains that hold agencies ransom for large sums and exfiltrate sensitive data whether they are paid or not.
While public sector organizations are rapidly improving their cybersecurity posture, they suffer from significant differences in funding and preparedness alongside a lack of standardized policies. Often, the departments within an agency don’t take a centralized approach or work together to solve security issues, and meanwhile, their systems are digitizing faster than their applications, security, and infrastructure can keep up.
SLED agencies typically spend around 3% of their annual budgets on cybersecurity—significantly less than the federal government or commercial sector. However, as the modern distributed workforce has expanded attack surfaces, cyberattacks have become more frequent and creative than before. SLED is a prime target not only because of the amount of citizen data agencies hold, but also because of the siloed approach they take to security. More departments within SLED agencies need to work together to centralize security plans, share resources and budgets, and consolidate infrastructure. This will help them keep one step ahead of cybercriminals, enable greater efficiency, and facilitate better resource planning, compliance, and cost control.
Centralized Application Security Saves Costs and Resources
So, how can SLED CIOs improve cybersecurity, optimize and consolidate the number of solutions in use, and control costs all at the same time? Consolidated, unified application security testing (AST) is a good place to start.
Right now, many larger SLED organizations (with larger budgets) already have AppSec tools, but these are often outdated and inflexible point products with limited coverage, acting as brakes on the development process. Meanwhile, many budget-constrained organizations use only limited commercial tools or free open source solutions that, while not ideal, are deemed “good enough.” Too often, these tools only help organizations tick the compliance box; they are seldom mature enough or deployed strategically to ensure long-term application security.
A centralized security plan and approach can help. Instead of working in silos, teams can work together to overcome budget constraints and reduce risk. This starts with a robust resource plan that revolves around threat prevention and remediation. Then, the security plan should include investment in the latest technology that integrates with both existing and future tools. With a centralized approach to AST, using a tool that works throughout the entire software development life cycle and delivers fast ROI, SLED agencies will be able to improve software quality while reducing the number of tools in play.
Since budgets are small in SLED, centralizing provides the opportunity to use economies of scale to help reduce costs. This will also help with cost control, fiscal management and risk reduction. Furthermore, by choosing a solution that delivers best fix location recommendations and tips on resolving identified issues, agencies can expand their developer team’s skill set at the same time.
AppSec Training Gives Teams Back Time to Focus on Security
Codebashing, our AppSec awareness training platform, helps developers efficiently sharpen their application security skills, showing them to code more securely in context and on demand. Codebashing is fully integrated into the CxSAST user interface, so when developers encounter a vulnerability, they can immediately activate the appropriate learning session, run through the hands-on training, and get straight back to work once they know how to resolve the problem.
With new legislation in force and President Biden’s executive order, the emphasis is firmly on security. This should have a trickle-down effect on state and local governments, ideally leading to more budget allocation. It will also increase visibility within departments that will hopefully start to prioritize and centralize AppSec more. It's an unfortunate reality that issues related to the network, remote work, and other non-security concerns often consume a large share of budget and resources, pushing AppSec down the list. When teams only have so much time and resources to devote to security, our solution—along with a robust, centralized security plan—will enable developers to cut right to the actions that will make a difference.
True Application Security Does More Than Tick the Compliance Box
At Checkmarx, we’ve been working with Federal and SLED organizations for years. Our AST platform addresses core issues with a single solution that’s easy to deploy and use. Taking an automated approach, we help agencies drive down costs and more easily document security compliance. Our testing reports show where an application isn’t meeting a specific standard, and our post-fix report positively documents compliance and supports key standards.
A particular SLED organization we’ve been working with didn’t have a bespoke, centralized security plan, and the team was struggling with a piecemeal approach. We helped the organization lay out a plan for the implementation of AST and use of automation with our end-to-end integrations with developer tools. This made adoption easier and reduced developer stress and fatigue as they were able to triage errors and see the critical issues that needed addressing.
Supporting developers with an AST solution that covers your code end to end streamlines their work, reduces friction between development and security, and speeds up your time to deploy applications, all while securing citizen data.
To find out more about the challenges and opportunities of AppSec in the public sector, download our e-book.