A Mandate from Federal Government
Today, security is an absolute requirement. The Federal Government knows that security is a critical issue, so it mandated State and Local Government agencies (SLED) create legislation like the State and Local Cybersecurity Act 2019 to support improvements.
The 2021 National Association of State Chief Information Officers (NASCIO) CIO Top 10 Priorities reflect this heightened emphasis on security, placing the number one focus on Cybersecurity and Risk Management, centering on governance, budget, and resource requirements. Furthermore, regarding technologies, applications, and tools, the number two priority is how agencies secure, modernize, and renovate legacy applications.
However, if we look at the number of escalating threats over the last few years, and in particular ransomware attacks, most SLED agencies would find it hard to pinpoint exactly how these attacks permeated the organization’s shield. In other words, it is challenging to identify whether these have been predominantly phishing attacks, application-layer attacks, firewall attacks, or some other form of attack. The stark reality is that no one knows precisely where bad actors are manifesting in government systems, and they’re tough to detect and manage subsequently manage. For example, phishing attacks are often down to human error, and however much an organization educates and trains employees, someone will always click on a corrupt link.
Focus on What You Can Control
When there are so many unknowns, SLED agencies should focus on security components that they can control. For example, application security and securing the application level and source code are key to ensuring that software is thoroughly scanned and tested to identify and remediate vulnerabilities before it goes into production.
But how, with a limited budget, restricted resources, and a growing remote and hybrid workforce, can SLED agencies be confident that they are adequately securing their systems, particularly their legacy applications?
Firstly, lack of budget and resources should not be a blocker. The safety, security, and protection of citizen and employee data should never be a budget question and should always be front of mind for SLED agencies. It is of the utmost importance that they protect highly confidential and sensitive PII data, so data security budgets should not be a constraint.
Secondly, when it comes to resources, agencies should look at how they function to protect data.
Taking an Iterative Approach to Writing Code
By taking a DevSecOps approach, the issue of resources shouldn’t be a problem either. A DevOps culture advocates developing, testing, and delivering software quickly, regularly, and with more dependability. DevOps' fundamental components include continuous integration (CI) and continuous delivery (CD) in software development. Here at Checkmarx, we empower developers to write more secure code with the right tactics, tools, and integrations that embed security throughout the software development life cycle (SDLC). We make software security essential infrastructure: unified with DevOps, and seamlessly embedded into the entire CI/CD pipeline, from uncompiled code to runtime testing, making the process easier and less resource-intensive because organizations can instill security into the CI/CD pipeline and release secure software faster by running incremental scans on uncompiled source code.
Understanding the Risk Tolerance of the Organization
What is of utmost importance is that the agency has set risk tolerances for its application and software development and understands the risks associated with code.
Today, many agencies are taking a centralized approach to IT security, with one department responsible for all the application development security. This centralized department must share issues across multiple teams and what action developers need to undertake. The organization should understand its risk posture and risk tolerance as it pertains to software development and what levels of risk are acceptable from a legal standpoint. Likewise, this centralized department should manage risk, identifying what challenges and obstacles are in software production, and agree with legal what risks they are willing to accept before any software goes live.
So how should the organization go about achieving this across their legacy application estate?
Taking an Outside-in Approach
Determining this risk tolerance should start with agencies identifying applications that are most critical to the organization – these are likely to be any outward-facing apps that focus on public data. Here security, legal, and the CIO office must guide the process and help various teams review their internal processes, looking for any attack-exploitable vectors in these applications. Prioritization will allow the developers to work smart and stay focused and investigate the root cause of any issues, specifically in embedded open source code combined with custom source code. Once the team has mitigated risks on some of those critical outward-facing apps, the organization can take this to other apps across the organization using a default scan that captures a broad base of issues.
When an agency uses open-source libraries, it needs to investigate whether these are current, up to date, and properly used. As you can imagine, some legacy applications use old versions that DevSecOps teams must scan for vulnerabilities. Older legacy versions could contain files with undesirable code that bad actors could identify. Therefore, organizations must take the time to review these libraries with tools that regularly schedule updates. For example, the Checkmarx SCA creates a report of which versions the organization is on and what bugs exist in the various versions when scanning open-source libraries. Then, the agency needs to determine its risk appetite and what level of risk any of these vulnerabilities represent for the business.
Leading From the Front
Without question, tackling application security involves adopting tools and processes and a culture shift driven by a dynamic leader who takes a proactive approach to embrace security protocols around the application estate and software development. Leaders need to initiate and drive adoption within an organization’s culture, which involves interpreting the agency’s responsibility, utilizing tools to aid the process. A beneficial DevSecOps approach will speed up the development lifecycle and reduce the resources required to detect vulnerabilities in code.
Over time, by adopting the steps outlined above, organizations can be confident that their applications are optimized to mitigate known exploitable vulnerabilities and instill security not only into their modern development practices but also across their legacy applications.
Feeling under pressure? Learn How Public Sector Agencies Can Rise to the Challenge of Secure Digital Transformation >>
- Ebook | Under Pressure: How Public Sector Agencies Can Rise to the Challenge of Secure Digital Transformation
- Ebook | An Integrated Approach to Embedding Security into DevOps - A Best Practices Guide
- Guidebook | The Ultimate Guide to Software Composition Analysis