State and local governments and education departments (SLED) have digitized rapidly in the last few years. Within municipalities across the US, citizens using online services can pay taxes and fees, register for libraries, register to vote, access educational services, and much more. However, this technological transformation is not without challenges. While it represents a revolution in access to citizen services, this has perhaps been at the cost of secure infrastructure and strategic planning.
Pervasive Ransomware Hits Public Sector Targets
In the last few years, attacks on SLED targets have risen in frequency and cost. These attacks hold government agencies to ransom for large sums and exfiltrate sensitive data, whether perpetrators are paid or not.
And while Public Sector organizations are rapidly improving their cybersecurity posture to protect their systems, they suffer from significant differences in funding and preparedness and a lack of standardized policies. Often, they don’t take a centralized approach within the agency or work together to solve security issues – all while their systems are digitizing faster than their applications, security, and infrastructure can keep up.
Typically, SLED agencies spend around three percent of the budget annually on cybersecurity, significantly lower than the Federal Government and the commercial sector. However, cyber-attacks are more frequent and creative than ever before, thanks to the distributed workforce and the expanded attack surface this creates. Unfortunately, SLED agencies are a prime target because of the amount of citizen data they hold. Now, more SLED agency departments need to work together to centralize security plans, share resources, budgets, and consolidate infrastructure. This collaboration and efficiency in resource planning, compliance, and cost control ultimately keep agencies one step ahead of cybercriminals.
What are State CIO Priorities?
To this point, NASCIO (National Association of State Chief Information Officers), a leading advocate for technology policy for state CIOs, recently published its top ten priorities.
Cybersecurity and risk management was top of the list, advocating the need for CIOs to establish strong governance, budget, and resource requirements. Fifth on the list was budget, cost control, and fiscal management strategies for cost savings and dealing with inadequate funding and budget constraints. Consolidation and optimization and the need for CIOs to centralize and consolidate services, operations, resources, and infrastructure were priorities.
However, this is easier said than done. The variety of services offered online from state to state and county to county can vary significantly in revenue and legislative structure, so it is not one-size-fits-all. And all agencies have budgetary restrictions and shortages compounded by the pandemic, which forced agencies to divert budgets to meet immediate security requirements and secure employee devices. Federal Government has provided funding through the Coronavirus Aid, Relief, and Economic Security (CARES) Act to offset this spending, but this seems to be slow in coming, causing a squeeze on investment.
Therefore, the priority now is for agencies to look at the expanded attack surface and identify how they can keep data and apps more secure without spending money they don’t have. Most vulnerabilities originate in apps, but with multiple pressures, small budgets, and departments fighting for resources, application security is a task that often gets overlooked.
Taking a Centralized Approach to Application Security
So how can SLED CIOs achieve their target of improving cybersecurity while at the same time optimizing and consolidating the number of solutions in use and controlling costs? Centralized Application Security Testing (AST) is an excellent place to start.
Right now, larger SLED organizations who invariably have more budget will have AppSec tools that they are already utilizing, but these are often outdated and inflexible; they can act as a brake on the development process. Additionally, many organizations facing budget limitations have opted to deploy
open source freeware solutions deemed “good enough,” though they are not ideal. All too often, organizations use these tools to tick the compliance box rather than being deployed strategically to ensure long-term application security.
A centralized security plan and approach can help. Instead of working in silos, teams can work together to overcome budgetary constraints and reduce risk with a more robust process and system to combat attacks. Such a security plan should start by ensuring a solid resource plan that centers on preventing and remediating threats. The security plan should include investment in the latest technology that integrates with existing and future tools. By adopting a centralized approach to AST using a solution that integrates fully with the software development life cycle and delivers fast ROI, SLED agencies can improve software quality while reducing the number of different tools in play.
Since budgets are small in SLED, centralizing provides the opportunity to use economies of scale to help reduce costs. Better cost control, fiscal management, and risk reduction are additional benefits of choosing a solution that delivers best-fix locations and tips on resolving identified issues while expanding their developers’ skillsets.
Application Security Solutions that Do More Than Tick the Compliance Box
Here at Checkmarx, we have been working with public sector and SLED organizations for several years. Our
software security testing platform addresses core issues with a single easy-to-deploy-and-use solution. Our automated approach helps agencies to drive down costs and simplifies their ability to document security compliance. Additionally, our test reports show where an application isn’t meeting a specific standard. And our post-fix report positively demonstrates compliance and supports critical standards.
For example, one SLED organization we have been working with for over a year didn’t have a customized and centralized security plan. They were struggling with a piecemeal approach to security. We helped them plan their implementation and automation of AST, which made adoption faster and reduced developer stress and fatigue. We were able to triage errors and show the developers only the critical issues that needed addressing, helping them to focus their energy and attention.
Building In-House AppSec Skills
Likewise, Checkmarx
Codebashing helps developers code securely by learning and sharpening their application security skills most efficiently because it is in-context and available on-demand. Codebashing integrates with the
CxSAST user interface: when developers encounter a security vulnerability, they can immediately activate the appropriate learning session, quickly run through the hands-on training, and get straight back to work equipped with the knowledge they need to resolve the problem.
The new security legislation and Biden’s Executive Order should have a significant trickle-down effect on state and local government, ideally leading to more budget allocation. It will also increase visibility within departments that will hopefully
start to prioritize and centralize AppSec more. That said, unfortunately, network and remote work and other issues unrelated to security often consume a large part of budget and resources, and AppSec gets bumped down the list. In this scenario, if teams only have so much time to devote to security, our solution combined with a centralized robust security plan will undoubtedly help developers cut to the actions that will make a difference.
To find out more about the challenges and opportunities of AppSec in the Public Sector,
https://info.checkmarx.com/zh/public-sector/sled-issue-brief 
Bruce Kuska
