For state governments, local governments, and education agencies (a cohort often referred to as the SLED sector), there has perhaps never been a more difficult time to develop and deploy software than the present. Due partly (but not solely) to the pandemic, SLED organizations face an unprecedented set of challenges related to software. To meet these challenges, they need to overhaul many aspects of their approach to software delivery.
One key change involves rethinking the way that SLED organizations integrate security into the software delivery pipeline. Rather than focusing only on finding security issues after software has been deployed into production, they must take greater advantage of Application Security Testing (AST) to help "shift security left," which means starting security testing earlier in the delivery pipeline.
Here's a look at how a shift-left security approach based on AST can help SLED agencies overcome the array of challenges they face at present.
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.
Problems Faced by State, Local, and Education Government Agencies
SLED organizations are currently confronting a slew of deep challenges. The big ones include: Increased customer demand: Consumers increasingly expect the same seamless experience from government agencies that they are accustomed to receiving within the private sector. This means that SLED agencies must optimize the reliability and performance of their applications, while simultaneously meeting the strict security and compliance requirements that are prevalent in the government sector.- Supply chain risks: As the SolarWinds breach highlighted, government agencies face deep security risks from "upstream" code that is written by other organizations but forms part of their software supply chain.
- Cloud-native revolution: Like everyone else, government agencies face pressure to take full advantage of the cloud and cloud-native architectures. But their software delivery and security processes haven't always kept pace with the needs of scale-out, microservices-based architectures.
- IoT vulnerabilities: The Internet of Things, or IoT, is another new technological frontier where government agencies are active, but it poses challenges that they are not always well equipped to handle.
- Legacy development practices: On the whole, developers working for governments have focused more on maintaining existing systems than keeping up with current trends. Salaries have consequently lagged behind those in the private sector, making it harder for government agencies to attract developers with deep expertise in modern development practices, like agile and CI/CD.
How AST Can Help SLED Agencies
Application Security Testing alone won't solve all of the SLED problems described above. But it can help mitigate many of them. AST allows developers, IT engineers, and security engineers to find vulnerabilities within software before it is deployed into production. By testing applications on the "left" side of the delivery chain – meaning before applications are deployed for use by end-users – organizations are in a stronger position to identify security weaknesses early. In turn, developers can resolve security issues before they impact end-users. This helps agencies achieve the optimal customer experience that SLED agencies are now pressured to deliver. Not only that, but finding security issues earlier in the pipeline via AST can also help teams gain a stronger handle on the special challenges that come with new technological paradigms like IoT and cloud native. It's much easier to troubleshoot complex security issues when you find them in source code pre-production, rather than once the application has already been built and deployed into a large cloud-native application environment or IoT network. Likewise, security vulnerabilities related to the software supply chain are much easier to mitigate when you detect them early. Although it's unlikely that AST could have completely stopped government agencies from falling victim to a breach as large as the SolarWinds affair, which was unprecedented in its scale and depth, it certainly could not have hurt. And for smaller-scale upstream applications, especially those that are imported as raw source code, AST is very effective in helping to find and fix vulnerabilities. Finally, because AST can be largely automated and is easy to perform within a controlled, pre-production environment where mistakes don't have an immediate impact on end-users, it requires a lower level of expertise than other forms of security testing, like penetration tests. This is a key advantage for government agencies whose developers may lack the security expertise necessary to perform more specialized types of tests.Adding AST to Your Security Strategy
AST is only one pillar of modern security. Monitoring production environments for signs of breaches is still important. But for SLED agencies – indeed, for organizations of all types – AST has become an essential ingredient in overall security strategies integrates AST into the software delivery pipeline to give organizations the best of both worlds – a pipeline that is fast and secure.
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.
