This article was originally featured on the Checkmarx blog. Click HERE to read the original article in its entirety.
In a recent FedRAMP survey conducted by Maximus and Genesys 49 percent of state and local government respondents said most of their systems and solutions were in the cloud. An additional 9 percent said all of them were. Unsurprisingly, 69 percent said cloud computing is essential to their agency’s operations.
The reasons for switching away from on-prem include scalability and cost control. Things changed quickly too, of course, when agency offices closed in 2020 to slow the spread of COVID-19. Citizen services switched to online delivery, and agency workforces needed remote access to vital work applications as state and local governments found themselves on the front lines of pandemic response.
Agencies face budget constraints on top of a citizen base with high expectations of digital services that match their experiences with commercial software. Citizens quickly question agencies’ credibility when digital services don’t provide the seamless, personalized experience to which they are accustomed. As a result, agencies have been under pressure to develop a cost-effective software infrastructure that can deliver flexible online services and scale up instantly to meet peak demand during emergencies.
The cloud simplifies rapid application deployment, allowing resources to scale on-demand with flexible, consumption-based billing models. Agencies no longer have to provision and maintain costly on-premises infrastructure just in case emergencies arise; instead, they can shift costs from capital to operational budgets, knowing they will be covered in a peak demand event.
Migrating to the cloud also allows agencies to implement turnkey solutions that use consistent processes and protocols while ensuring regulatory compliance. It’s more difficult to implement or map to such standards in on-premises environments that are typically heterogeneous, having grown as needed while reflecting a team’s changing personalities, skillsets, and priorities over the years.
Despite the benefits of the cloud, any change brings new risks. Agencies have put their faith firmly in the cloud and must ensure citizens’ private data is safe within modern application development components.
Ultimately, with all its speed and complexity, cloud-native modern application development needs software security designed to quickly scale so agencies can uphold their part of the shared responsibility model.
The Shared Responsibility Model for Cloud Security
Cloud services offer State and Local Government agencies protection beyond anything an individual agency could deliver in-house. This built-in cloud security eliminates a considerable operational burden as the cloud service provider (CSP) is responsible for the host operating system and virtualization layer, down to the physical security of the data centers in which services are deployed. In fact, 72 percent of state and local respondents to the Maximus/Genesys survey felt that mission-critical data was more secure in the cloud than on-premises.
This is only half of the equation, however. Agencies cannot hand over all security responsibilities to a CSP. While the cloud itself may be secure, the security of applications developed and released to production in the cloud remains the agency’s responsibility. Application security ultimately protects citizen data, and when development is cloud-native, there are more kinds of code and application building blocks to secure.
Centralizing AppSec Strategy to Realize Cost, Efficiency, and Security Benefits
Agencies must develop a comprehensive AppSec strategy that covers all the different code components of cloud-native application development. They need an optimized solution that can mature and scale with their team as their journey in the cloud continues.
A centralized, consolidated approach is critical to success. Otherwise, agencies might purchase multiple point products to scan all their code across different languages and frameworks (containers, infrastructure as code [IaC], third-party packages, APIs, etc.). This is expensive and makes life difficult for developers, who have to assimilate and respond to alerts from multiple sources that often integrate poorly, if at all.
Alternatively, agencies that can only afford a few solutions with limited breadth and depth might not adequately scan their code to begin with. Missed vulnerabilities could put citizen data at risk.
SLED agencies need to choose vendors that take a centralized approach to AppSec tooling, with scan engines that offer a breadth of language support and cover the entire software development life cycle (SDLC), aggregating more insightful results for faster remediation at a lower total cost of ownership. This optimized strategy benefits public sector budgets as well as the developer teams responsible for delivering secure cloud-native applications by resolving tensions around cost, security, efficiency, and speed.
Accelerating AppSec for Cloud-Native Development Processes
Speed is central to devising an optimized AppSec strategy and choosing the right supporting tools. If an agency’s AppSec testing tools are not developer-centric, not tightly integrated into DevSecOps processes, and not connected to one another, code scans can be time-consuming. Consequently, an agency may scan less frequently—perhaps only daily, or only weekly—and inundate their teams with large numbers of discovered vulnerabilities, interrupting workflows and delivery schedules.
Cloud-native development requires a faster, more iterative solution that helps agencies move toward DevSecOps, integrating and automating security scans at every stage of the SDLC. Checkmarx CxSAST, for example, scans uncompiled source code, so it doesn’t require a build. This means an agency can perform dozens of automated scans per day, giving teams immediate, prioritized feedback specific to the branch of code a given developer is coding so they can act immediately to fix the issue.
Agencies must also scan cloud-native code, whether it’s developer-written IaC pushed rapidly to production, third-party code, or APIs essential to rapid application development. The open source KICS project allows fast, frequent scans of IaC to identify any issues that may lead to vulnerabilities.
Using AppSec tools like these that fully integrate into the CI/CD pipeline, agencies can maintain the pace of cloud-native application development without introducing additional risks.