The conversation about hardening the software and technology used in the public sector is an age-old one, but it continues to be important. Agencies must be able to trust the technology they use both day-to-day and in critical situations. But that challenge is getting increasingly complex. Trillions of lines of software code are created each year, billions of devices are online, and bad actors increasingly have the upper hand.
New developments in security – such as integrating security into the software development lifecycle, aka DevSecOps – are important to the future of resiliency, public safety, and national security – yet at times are hard to keep up with.
To help agencies chart this complex landscape, DLT recently partnered with the Institute for Critical Infrastructure Technology (ICIT) aka “The Cybersecurity Think Tank” and top government and industry leaders for an online discussion: Interactive Security Testing, DevSecOps, and NIST SP 800-53 Rev. 5.
The session began with an overview by NIST fellow, Dr. Ron Ross, of what’s new in NIST SP800-53 Rev. 5 in particular the inclusion of “interactive security testing” – a testing process that detects a variety of vulnerabilities by observing running applications during the development process.
The benefits of interactive security testing
Dr. Ross went on to explain the significance of interactive security testing for the government community: “Integrating security testing into the application development lifecycle is one of the biggest things to happen with DevSecOps and a big cost saver for the federal government and saves a lot of work on the backend of the process. This frees up taxpayer dollars for other critical security functions.”
This thinking was reiterated by Tim Henderson, ICIT Contributor and Sr. Security Advisor with AWS: “We tend to think of critical applications as a dam and security as this cartoonish function that runs around trying to plug all the holes that spring open. But what needs to happen is for application engineers or architects to build a highly resilient dam in the first place so that security practitioners can focus on the key elements of protecting it.”
Too often security is sacrificed to meet app development deadlines
The panel also went on to discuss the common pitfalls of today’s DevOps process that stall progress towards integrating security early in the development process. A live poll found that the audience agree that organizations are sacrificing security to meet project deadlines. The most common reason being that developers are not sufficiently trained on cybersecurity followed by pushback from operations teams.
Part of the challenge is that government has stove-piped security for years, said panelist Jeff Hsiao, ICIT Contributor and Security Solutions Engineer with Checkmarx. “Stove-piping has been a common characteristic of all security where you wait till the very end of the development process to run an app scan and you get a huge report of all the things that need to be fixed – instead of moving to the left and getting new technology into the hands of developers, which is ultimately where any fix has to occur,” said Hsiao.
“Importantly, integrated security testing is included as a new security control in the new version of NIST 800-53,” Hsiao continued. “It’s a technology that allows you to do application security testing on a live application. Prior to that most folks would wait until the application was developed – now there’s no reason to do that, now you can identify issues upfront and developers can address them there and then.”
“The tooling, the processes, that stuff isn’t DevSecOps. DevSecOps is culture…to expand it across the enterprise you need a top-down approach that builds it across the cultural base” – Jeff Hsiao, ICIT Contributor and Security Solutions Engineer with Checkmarx
Executive buy-in and cultural change is essential to success
Of course, it’s not just about technology. A cultural shift and executive sponsorship is needed to ensure the success of projects that embed security into the DevOps process.
“If this is your first foray into DevSecOps, that buy-in is essential,” said Hsiao. “You need the runway to build and resource appropriately and its critical that you have the underpinning of the executive structure of the organization because you’re going to have to do so much cross collaboration with different business units and entities. It’s also critical that security practitioners lead the way, building communities of practice, helping create that culture of security, and recognizing security as a function of software quality.”
Moving organizations forward to integrated security testing
The conversation moved to how agencies can make security a priority in the application development process and gain executive buy-in.
“For culture it’s understanding that you’re not by yourself. It’s not just the agency but the community around you – the integrators, the think tanks like ICIT, and industry vendors – we’re all in this together,” explained Hsiao. “No one wants to code insecurely or have vulnerabilities in their software. If you’re seeking help, folks will be willing to give it to you.”
Adding his perspective, Henderson explained: “It goes back to executive sponsorship and the lack of that as a pitfall. I routinely see organizations have some success with DevSecOps, maybe they got one or two teams rolling, but they’re not scaling it across the enterprise because there’s no overall buy-in or the ability to transform that culture.”
He continued: “We’re talking fundamental cultural transformation for a lot of organizations. That means looking at your hiring practices, procurement practices, all the interweaving of team building that goes into integrating the security effort as a quality function of an organization. The tooling, the processes, that stuff isn’t DevSecOps. DevSecOps is culture…to expand it across the enterprise you need a top-down approach that builds it across the cultural base”
In this hour-long discussion, the panel also took questions from the audience and shared best practices on how agencies can move forward with DevSecOps given the current climate in which teams and resources are highly distributed.
For more insights from this dynamic panel which also included Joyce Hunter, Former Deputy CIO for Policy and Planning, USDA the discussion is now available to watch on-demand. You can also learn more on this topic in our eBook: An Integrated Approach to Embedding Security into DevOps.