The General Services Administration is making a major push into enterprise application security this year, its top security official says, amid a broader government push to ensure agencies only use secure software.
GSA has made headway in implementing a zero trust architecture through the adoption of a secure access service edge (SASE) solution, modernized user and device directories, and new enterprise single sign-on solutions.
Bo Berlas, GSA’s chief information security officer, said fiscal 2024 will feature a big focus on securing “applications and workloads.”
While GSA have been largely implanting software security and supply chain security practices in their own “verticals,” Berlas said the agency is centralizing those capabilities.
“To truly be able to achieve synergy and value and be able to integrate that into a security strategy, it has to effectively be developed and delivered as an enterprise shared service,” Berlas said during an Oct. 10 event hosted by NextGov. “We’re essentially going through and doing a lot of investment within this space in the coming year by centralizing around a dedicated, app-sec solution, backed by tooling and people that effectively provide integrated support services into our agency application teams.”
The federal zero trust strategy directs agencies to operate “dedicated application security testing programs,” instead of just relying on documented security controls.
“To gain confidence in the security of their systems, agencies must analyze their software and its deployed functionality with a comprehensive and rigorous approach, whether their software is built internally or by a contracted vendor,” the strategy states.
Meanwhile, agencies are also increasingly focused on the security of third-party software developed and delivered by contractors. The Cybersecurity and Infrastructure Security Agency earlier this year released a draft attestation form that contractors would sign to confirm their compliance with software security standards.
Once the form is finalized, the Office of Management and Budget has directed agencies to begin collecting the form from their software vendors.
During a separate Oct. 10 event, CISA Executive Assistant Director for Cybersecurity Eric Goldstein cast the software attestation form as part of a broader effort to ensure technology companies are designing and delivering their products with the proper security measures.
Berlas pointed to how many recent cybersecurity initiatives stem from notable cyber incidents, such as the SolarWinds breach that ensnared multiple federal agencies.
“One of the fundamental lessons learned there is that we can’t take for granted the software that we’re effectively consuming, presuming that software itself is secure,” Berlas said. “Those very same vendors themselves have downline software dependencies. So it’s ensuring that visibility downline into the actual vendor, ensuring that they’re implementing good software security and application security best practices, and having a broader understanding of what some of their software supply chain risks actually look like.”