For state governments, local governments, and education agencies (a cohort often referred to as the SLED sector), there has perhaps never been a more difficult time to develop and deploy software than the present. Due partly (but not solely) to the pandemic, SLED organizations face an unprecedented set of challenges related to software. To meet these challenges, they need to overhaul many aspects of their approach to software delivery. One key change involves rethinking the way that SLED organizations integrate security into the software delivery pipeline. Rather than focusing only on finding security issues after software has been deployed into production, they must take greater advantage of Application Security Testing (AST) to help "shift security left," which means starting security testing earlier in the delivery pipeline. Here's a look at how a shift-left security approach based on AST can help SLED agencies overcome the array of challenges they face at present.
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.
Problems Faced by State, Local, and Education Government Agencies
SLED organizations are currently confronting a slew of deep challenges. The big ones include: Increased customer demand: Consumers increasingly expect the same seamless experience from government agencies that they are accustomed to receiving within the private sector. This means that SLED agencies must optimize the reliability and performance of their applications, while simultaneously meeting the strict security and compliance requirements that are prevalent in the government sector.- Supply chain risks: As the SolarWinds breach highlighted, government agencies face deep security risks from "upstream" code that is written by other organizations but forms part of their software supply chain.
- Cloud-native revolution: Like everyone else, government agencies face pressure to take full advantage of the cloud and cloud-native architectures. But their software delivery and security processes haven't always kept pace with the needs of scale-out, microservices-based architectures.
- IoT vulnerabilities: The Internet of Things, or IoT, is another new technological frontier where government agencies are active, but it poses challenges that they are not always well equipped to handle.
- Legacy development practices: On the whole, developers working for governments have focused more on maintaining existing systems than keeping up with current trends. Salaries have consequently lagged behind those in the private sector, making it harder for government agencies to attract developers with deep expertise in modern development practices, like agile and CI/CD.