Today’s government agencies and military organizations are developing applications and digital services as fast as they can to meet urgent needs. This rapid pace of application development only accelerated in 2020 when government IT departments and application development teams were tasked with quickly implementing the solutions and capabilities necessary to support a remote workforce.
The increased reliance on application across the government – coupled with the rapid pace of development – creates a large problem for our agencies. Most exploited network vulnerabilities exist at the application layer, and today’s government agencies are facing an increasingly sophisticated and ever-growing threat landscape of malicious actors looking to compromise networks for political or personal gain.
This has become incredibly apparent to the American public over the past few months, which were witness to several high-profile ransomware attacks and security breaches. First, there was the SolarWinds breach in late 2020 that may have impacted as many as 10 different government agencies. Then, more recently, critical supply chains – including America’s critical food and gas supply chains – were rocked by large ransomware attacks.
In light of these recent threats and successful breaches – and because application vulnerabilities are those most frequently exploited in successful attacks – it’s essential that government agencies and military organizations strengthen application security. However, that increased application security can’t come at the expense of speed in the software development and deployment process.
In a recent issue brief entitled, “Heading Off Risk: A Unified Approach to Application Security and Delivery,” Checkmarx takes a detailed look at how a unified DevSecOps approach that incorporates security design, implementation and testing into the software development life cycle (SDLC) can help increase application security without sacrificing rapid application development. The issue brief also shares seven key trends that are making a DevSecOps approach to application development essential to today’s government agencies and military organizations.
Here are seven trends driving the need for DevSecOps and a more unified approach to application security across the federal government:
Demand for rapid application delivery. An urgent need for digital services and remote work has forced development teams to work faster than ever. Nearly 80 percent of organizations forward vulnerable code to production, often to meet critical deadlines or because issues were discovered too late in the release cycle.
Ransomware and other attacks that target application vulnerabilities. Thirty percent of successful attacks happen at the application layer. The attack that targeted vulnerabilities in SolarWinds and other vendors’ applications offered a lesson no organization wants to repeat.
Proliferation of IoT devices. As Internet of Things (IoT) devices are increasingly integrated into workflow processes, they become a doorway to exploitation. In Florida, for example, a hacker unsuccessfully attempted to poison a municipal water supply by using an IoT/operational technology device to remotely access water management software on an outdated, unsupported computer.
Cloud-native development. Analysts project that by 2022, 90 percent of new applications will be developed using agile methodologies and API-driven architectures that leverage microservices, containers and serverless functions. Undiscovered vulnerabilities in these chunks of code can quickly proliferate into other infrastructure and applications.
Reliance on open-source software. According to ESG, 80 percent of development teams draw at least 26 to 49 percent of their code from open-source libraries; however, fewer than half are using tools such as software composition analysis to test the security of open-source code.
Insufficiently trained developers. Most developers are not adequately trained in security-related practices for writing and remediating code. While proper training helps eliminate design flaws at the root, few top universities embed cybersecurity training into their coding programs, and traditional teaching approaches don’t always provide the immediacy and relevance that developers seek.
Ad hoc and incomplete toolsets for app security. Agencies usually have an array of app security testing tools, but many of them are siloed or ad hoc, niche tools that once addressed an immediate security challenge but now are rarely used. In many cases, organizations have difficulty aggregating data from all these tools and integrating security tool data with their development tools.
To learn more about the application security challenges facing today’s federal government, and how federal agencies can improve the security of their applications, click HERE to download a complimentary copy of, “Heading Off Risk: A Unified Approach to Application Security and Delivery.”