Five steps to protect critical software with AppSec

0

The government is in a technological mess. To meet the expectations of citizens who expect agencies to provide the same user-friendly digital services they get from businesses and online retailers, government development teams have turned to cloud-native technologies , microservices architectures, and open source code to accelerate and scale. development of new applications.

This growing reliance on agile technologies has accelerated the development of the software supply chain and introduced new complexities and risks such as…

READ MORE

The government is in a technological mess. To meet the expectations of citizens who expect agencies to provide the same user-friendly digital services they get from businesses and online retailers, government development teams have turned to cloud-native technologies , microservices architectures, and open source code to accelerate and scale. development of new applications.

This growing reliance on agile technologies has accelerated software supply chain development and introduced new complexities and risks of the kind seen in recent headlines: SolarWinds hacks, Microsoft Exchange Server breach and Log4j open source vulnerability. The government’s reliance on software means a single breach could take critical services offline.

With every hack and breach, public trust in government operations is tested.

Visibility across all apps

Recent government mandates, such as the Executive Order on Improving National Cybersecurity, have shone a spotlight on protecting software supply chains and critical agency software. In July 2021, the National Institute of Standards and Technology released security measures for “critical EO software” to quickly identify, document, and mitigate known vulnerabilities.

NIST guidelines call for dynamic application security testing platforms to manage application vulnerability. Agencies also received guidance on securing critical software. An August 10, 2021 memo from the Office of Management and Budget gave agencies 60 days to identify all agency-critical software, whether in use or being acquired. Over the next two years, agencies must implement NIST-designated security measures for all categories of critical software.

To be effective, an application security platform must provide visibility into the state of applications in all types of testing, including static application security testing (SAST) to examine source code vulnerabilities, Dynamic Analysis Security Testing (DAST) for analyzing web applications, Software Composition Analysis (SCA) for managing open source components, and Manual Penetration Testing (MPT), all in one centralized view.

Additionally, agencies need a holistic approach to securing critical software. Here are five recommendations for agency development and security teams to consider when developing and deploying AppSec solutions.

  1. Identify and prioritize inventory

In accordance with the OMB’s mandate, agencies have or are in the process of identifying critical software. This is an opportunity for agencies to get a clear picture of applications and their attack surfaces – the sum of all potential entry points for unauthorized application access. Getting the full picture isn’t always easy, but starting here is what matters. Prioritize applications that connect to financial services, human resources, payroll, and healthcare systems that contain large amounts of user data.

  1. Choosing the appropriate scanning tools for the application

Agencies should evaluate their application development process. Do agencies write their own applications or do they use contractors? If the latter, what access do they have to the entrepreneur development process? Are they involved early in the development process or later? Do agencies rely on third-party code, like open source libraries? The answers will determine the type of application security scanning tools an agency deploys. For applications written in-house, development teams have more tools: SAST, DAST, SCA and MPT. Agencies that outsource their application portfolio will face additional layers of complexity. With “purpose-built” apps, the agency owns the code but is not part of the development process. Although dynamic scanning and penetration testing can reveal vulnerabilities in completed software, scanning early in the development process is much more effective.

  1. Train developers in secure code best practices

Most developers don’t have in-depth knowledge of secure coding best practices. If they do, it’s through on-the-job training. According to a Forrester Research 2019 report, “Show, Don’t Tell, Your Developers How to Write Secure Code,” of the 40 college computer science programs the company surveyed across the United States, none required training in secure coding. A training component should be a fundamental part of agency application security programs. For now, the onus is on agencies and companies to develop secure products. According to Veracode 12and Software Security Status (SOSS) report, developers who participate in hands-on training can fix defects 35% faster than those who don’t participate in an interactive training program.

  1. Continuously scan for vulnerabilities

Application layer attacks are on the rise, which means agencies can no longer afford to perform vulnerability scanning once a year or even quarterly. In financial services and manufacturing industries, continuous testing and analysis are becoming the norm. In fact, most apps are now scanned about three times a week, compared to just two or three times a year a decade ago, according to the SOSS report. Agencies should run analytics every time an application changes to understand and respond to risks.

  1. Ensure AppSec is part of a defense-in-depth strategy

Agency CIOs and CISOs need to understand that defense-in-depth strategies encompass more than identity management, firewalls around a network, and intrusion detection. These technologies are easier to implement than secure software development. However, Verizon’s 2021 Data Breach Investigation Report notes that web applications continue to be a major attack vector, accounting for 39% of all data breaches over the past year. Improving application security strengthens an agency’s overall security posture.

Enter tomorrow

Agencies and their partners must be vigilant to ensure that their software and applications, whether in development or in use, are resistant to tampering and hardened against attacks. The pressure to accelerate software development will only increase as government rushes to deliver better customer experiences through digital services. A comprehensive AppSec platform that is backed by strong DevSecOps practices and a cooperative team will ensure that agency software applications, built or purchased, are secure.

Chris Wysopal is co-founder and chief technology officer at Veracode.

Share.

Comments are closed.