Five steps to protecting critical software with AppSec

Government is in a technological pickle. To meet the expectations of citizens who expect agencies to deliver the same user-friendly digital services that they get from online businesses and retailers, government development teams have turned to cloud-native technologies, microservices architectures, and open-source code to accelerate and scale development of new applications.

That growing dependence on agile technologies has increased speed of development in the software supply chain, and introduced new complexities and risks of the type...

READ MORE

Government is in a technological pickle. To meet the expectations of citizens who expect agencies to deliver the same user-friendly digital services that they get from online businesses and retailers, government development teams have turned to cloud-native technologies, microservices architectures, and open-source code to accelerate and scale development of new applications.

That growing dependence on agile technologies has increased speed of development in the software supply chain, and introduced new complexities and risks of the type seen in recent headlines: the SolarWinds hacks, Microsoft Exchange Server breach, and the open-source Log4j vulnerability. The government’s dependence on software means that a single security flaw could knock critical services offline.

With every hack and breach, public trust in government operations is tested.

Visibility across applications

Recent government mandates, such as the President’s Executive Order on Improving the Nation’s Cybersecurity, have turned the spotlight on protecting agencies’ software supply chains and critical software. In July 2021 the National Institute of Standards and Technology issued security measures for “EO-critical Software” to rapidly identify, document and mitigate known vulnerabilities.

NIST guidelines call for dynamic application security testing platforms to address application vulnerability management. Agencies have received guidance on securing critical software, as well. An August 10, 2021 memo from the Office of Management and Budget gave agencies 60 days to identify all agency-critical software, whether in use or in the process of acquisition. Over the next two years, agencies must implement security measures designated by NIST for all categories of critical software.

To be effective, an application security platform should provide visibility into application status across all testing types, including static application security testing (SAST) for reviewing vulnerabilities in source code, dynamic analysis security testing (DAST) for web application analysis, software composition analysis (SCA) for managing open-source components, and manual penetration testing (MPT), in one centralized view.

Moreover, agencies need a comprehensive approach to securing critical software. Here are five recommendations for agency development and security teams to consider as they develop and deploy AppSec solutions.

  1. Identify and prioritize inventory

Per OMB’s mandate, agencies have or are in the process of identifying critical software. This is an opportunity for agencies to get a clear picture of applications and their attack surfaces – the sum of all potential entry points for unauthorized access into applications. Getting a complete picture isn’t always easy but starting here is what matters. Prioritize applications that connect to financial services, human resources, payroll and healthcare systems that have large amounts of user data.

  1. Choose scanning tools to fit the application

Agencies should assess their application development process. Are agencies writing their own applications or using contractors? If the latter, how much access do they have to the contractor’s development process? Are they involved early in the development process or later? Do the agencies rely on third-party code, such as open-source libraries? The answers will determine the type of application security scanning tools an agency will deploy. For applications written in house, development teams have more available tools: SAST, DAST, SCA and MPT. Agencies that contract out their application portfolio will encounter additional layers of complexity. With applications that are “purpose built,” the agency owns the code but isn’t part of the development process. Although dynamic scanning and penetration testing can uncover vulnerabilities in completed software, scanning early in the development process is far more effective.

  1. Train developers in secure code best practices

Most developers have no substantial background in secure coding best practices. If they do, it is through on–the-job training. According to a 2019 Forrester Research report, “Show, Don’t Tell, your Developers how to Write Secure Code,” of the 40 university computer science programs the company surveyed across the U.S., none required secure coding training. A training component should be a foundational part of agencies’ application security programs. For now, the onus falls on agencies and enterprises to develop secure products. According to Veracode’s 12th State of the Software Security (SOSS) report, developers that take part in hands-on training can fix flaws 35% faster than those who are not involved in an interactive training program.

  1. Continuously scan for vulnerabilities

Application layer attacks are on the rise, which means agencies can no longer afford to perform vulnerability scanning only once a year or even quarterly. In financial services and manufacturing industries, continuous testing and scanning are becoming the norm. In fact, most applications are now scanned around three times a week, compared to just two or three times a year a decade ago, according to the SOSS report. Agencies should run scans every time an application changes to understand and respond to risk.

  1. Ensure that AppSec is part of a defense in-depth strategy

Agencies’ CIOs and CISOs must understand that defense-in-depth strategies encompass more than identity management, firewalls around a network and intrusion detection. Those technologies are easier to implement than secure software development. However, Verizon’s 2021 Data Breach Investigations Report notes that web applications continue to be a major attack vector, representing 39% of all data breaches in the last year. Improving application security strengthens an agency’s overall security posture.

Stepping into tomorrow

Agencies and their partners must be vigilant in ensuring that their software and applications, whether under development or in use, are resistant to tampering and fortified against attack. The pressure to speed up development of software will only increase as the administration races to deliver better customer experiences via digital services. A comprehensive AppSec platform that leverages strong DevSecOps practices and a cooperative team will ensure that agencies’ software applications, built or bought, are secure.

Chris Wysopal is co-founder and chief technology officer at Veracode.

Related Stories