More than ever, the government runs on software. Indeed, reliance on software applications has increased rapidly in recent years – and will continue to grow. IT modernization enables agencies to deliver services in ways that are faster, more accurate, and more efficient.
Yet digital government faces challenges, especially in the field of cybersecurity. Securing government software and software supply chains has proven to be a major challenge for government agencies. Sometimes the response to that challenge has yielded mediocre results. Compared to other industries, the public sector has the highest percentage of applications with security flaws (82%), according to Veracode’s State of Software Security: Public Sector report.
Maintaining a secure domain in the rapidly changing cyber environment requires strengthening software security, starting in the earliest stages of the software development lifecycle, an approach known as ‘shifting left’.
Traditional application development practices rarely emphasized security. Developers treated it as an improvement, something applied at the end of the development process, an afterthought. Adopting a new mindset and addressing security vulnerabilities earlier in the software lifecycle is known as ‘shifting left’.
In addition, comprehensive security requires a zero trust approach to networks, including code in the software supply chain. Applying zero trust principles to the software supply chain assumes that all software – whether commercial, third-party or open source – is guilty until proven innocent.
To amplify and promote the benefits of this shift, the National Institute of Standards and Technology released guidelines earlier this year to help agencies achieve application-level security. The Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e defines guidelines for federal agency personnel with software procurement responsibilities (e.g., acquisition and procurement officers, technology professionals, etc.). These guidelines teach federal employees how to access vendor information necessary to assess the secure software development practices of software manufacturers.
Today’s software development involves merging hundreds or thousands of open source applications. Developers don’t write code as much as they put it together. To develop secure software, you must know the origin of open source code and test it for vulnerabilities at every stage of the development process. In its guidelines for strengthening software supply chain security, NIST recommends developers use a common language around security requirements, agree on developers’ processes and procedures, and provide a broader view of how secure software development is conducted, among other recommendations.
It’s just the beginning
NIST’s guidelines are a beginning, not a destination. In some cases, proposed minimum recommendations will be insufficient. Nor do the guidelines replace the stricter requirements that already apply to securing software development.
The full implementation of cybersecurity safeguards – from a trustless architecture to secure software supply chains – will take years. In reality, agencies will never overcome cyber threats that mutate alongside changing cyber environments. Government agencies today can nevertheless take steps to strengthen cybersecurity and promote the advancement of key security initiatives, such as zero trust.
Software developers in the workforce often lack training in developing secure applications. For many of them, the early years of their careers coincided with an era when software security was an afterthought, if at all. Even today, computer science programs at many colleges and universities provide little or no training in secure software development. To close the skills gap, agencies should consider developing in-house programs to promote cybersecurity.
For years, software developers have prioritized product functionality and short build times over software security. Developers often added security features to software after construction was completed, putting up a layer of security much like a homebuilder wraps a Tyvek sheath on a house after it has been framed. Changing the culture to increase safety is paramount. Agencies will know that they have managed to “slide to the left” when developers bring up security issues at the beginning of software development.
The NIST guidelines promote conformity and predictability in software development and auditing processes and procedures. Agencies can use the guidelines as a basis for broadly renewing the way they secure software throughout its lifecycle. Secure software development practices should be integrated throughout the software lifecycle to mitigate vulnerabilities in released software and minimize the exploitation of undetected or unaddressed vulnerabilities. This addresses the root causes of vulnerabilities.
“Shifting left” allows developers to more thoroughly examine open source code used in applications and to adapt security vulnerabilities at a relatively simple stage of the process. Using these and other security measures at the beginning of the software development lifecycle reduces the risk of vulnerabilities creeping into the deployed software.
Inadequate software testing is the most avoidable cause of application layer software security vulnerabilities. It is also widespread. Scanning applications throughout the software lifecycle — from concept development to deployment and through to decommissioning — eliminates most vulnerabilities that lead to security breaches and catastrophic events, including data loss, ransomware attacks, and infrastructure destruction. Acquiring and using tools designed to identify vulnerabilities that need fixing is a proven way to mitigate risk.
Agencies need robust capabilities
A single platform helps developers test software throughout the development lifecycle and offers numerous benefits, not least the ability to view comprehensive test results without access to multiple dashboards. A robust platform provides tools to perform static application security testing, dynamic application security testing, software composition analysis, manual penetration testing, and others.
Act now to nip cybersecurity vulnerabilities in the bud; when it comes to cybersecurity, all software is guilty until proven innocent.
Chris Wysopal is the founder and chief technology officer of Veracode.