During the past year, we’ve seen numerous incidents where highly-respected, and widely-utilized software solutions have been exploited to launch highly-effective cyberattacks against their users. In many instances these solutions had vulnerabilities that malicious actors could exploit to compromise the networks of every organization that utilized the software, making it nearly impossible to truly know just how far-reaching and large of an impact these attacks have truly had.
Government agencies are treasure-troves of personally identifiable information (PII) about citizens, and sensitive data that is classified or top secret. They’re incredibly attractive targets for hackers, making them very high risk for cyberattack. Simultaneously, ongoing digital transformation initiatives are making applications foundational and essential for agency operations. This means that organizations at high-risk for cyberattack are racing to embrace and deploy applications at a time when software vulnerabilities are among the most common exploits utilized by attackers.
In this environment, securing the applications that are being developed for and by government agencies is of the utmost importance. And that’s why an entire panel discussion at the recent Red Hat Government Symposium focused on that topic – securing the software supply chain – specifically.
We recently sat down with Evong Nham, the Senior Director of Solutions Architecture for Red Hat U.S. Public Sector, who moderated that discussion, to learn more about why securing the software supply chain is so important, but also so difficult. Here is what she told us:
GovDevSecOpsHub (GDSOH): With digital transformation and modernization rife across the federal landscape, how has the importance of software and applications changed in the past half-decade across the government? What exciting ways are we seeing federal agencies and military organizations embracing applications and harnessing the power of data?
Evong Nham: Fundamentally, the way we write software hasn’t changed in decades, but what we ask of software has. At some point, there’s going to be a huge paradigm shift in how we do development to address that gap.
The government is the greatest data owner in the world, and we have really only just scratched the surface of how to harness the power of that data. Right now, too much of it is still locked up in silos – in legacy systems, at the edge, in different clouds, or even on paper.
As we continue to understand the importance of data in driving our decision-making, applications will move increasingly towards artificial intelligence (AI) and machine learning (ML), where we train models to ingest and interpret data real-time, without human intervention. That is going to be the next big leap and I think realistically we’re only at the precipice of that change.
GDSOH: With so much focus on developing, deploying, and bringing new solutions to bear for users, have we seen a shift in how developers work and operate? Are there new pressures that they’re facing? How has the increased importance of applications influenced or impacted the development process?
Evong Nham: Our IT consumers are 100 percent digitally native, even more so in a pandemic world, and that does indeed create new pressure on developers. The only access we have to our constituents now is digital so it’s imperative that we’re able to field new functionality faster and more reliably.
We also have to keep the digital experience on par with industry to keep our users engaged. Therefore, the developer is king, and whatever removes bottlenecks for them will triumph. They are embracing technologies that provide super automation and abstraction of menial, non- mission-related tasks.
GDSOH: We’ve seen a large number of high-profile ransomware attacks and breaches this past year. Many of these have been the result of software vulnerabilities. What are some best practices to mitigate these vulnerabilities?
Evong Nham: The government often finds itself in both roles, as a creator and consumer of software. As a consumer, the software obviously needs to be kept up to date and that can’t be done via a manual process.
If it’s managed manually, it’s simply not going to happen with the level of diligence security requires. Similarly, with downstream systems, everything needs to be automated.
“A plan for a pipeline should involve a discussion with your security officer on what exactly needs to be demonstrated to them to consider a piece of software to be production-ready. As much as possible that should be automated via the pipeline, making not only innovation faster but also security integral to the solution.” – Evong Nham
The practices of continuous integration and continuous deployment (CI/CD) not only allow us to build software with regularity but update dependencies as well.
GDSOH: At the recent Red Hat Government Symposium, you moderated a panel about securing the software supply chain. Why is securing it so essential?
Evong Nham: The supply chain is everything. Many of us have experienced first-hand the impacts of supply chain instability during COVID.
It’s great to see the White House recognize the criticality of the supply chain and create action plans around both the physical and software supply chains. This is so important because it affects us all, and any vulnerabilities but the entire supply chain at risk.
The White House recently hosted a joint public and private sector meeting recently and directed NIST to help develop guidance on the supply chain. We look forward to seeing how they translate the feedback they gather from both public and private sector participants into meaningful guidance for everyone supporting the federal mission.
GDSOH: What role can DevSecOps play in helping developers create software at the speed of innovation without sacrificing security? Is it something that the government should encourage or mandate?
Evong Nham: A pipeline in many ways is the manifestation of the DevSecOps principle. It can be the crux of the collaboration between developers, operations, and security. As such, security should be integrally involved in the creation of the pipeline.
I don’t often see this being the case.
“Obviously, security is front of mind for everyone in government in light of recent events. The cyber threats we face to the homeland are at an all-time high. This can be an incredibly daunting challenge for federal CIOs.” – Evong Nham
A plan for a pipeline should involve a discussion with your security officer on what exactly needs to be demonstrated to them to consider a piece of software to be production-ready. As much as possible that should be automated via the pipeline, making not only innovation faster but also security integral to the solution.
GDSOH: What can attendees learn from your panel at the Red Hat Government Symposium? Why is it a particularly timely and topical discussion to have right now?
Evong Nham: Obviously, security is front of mind for everyone in government in light of recent events. The cyber threats we face to the homeland are at an all-time high. This can be an incredibly daunting challenge for federal CIOs.
The panel was an open discussion seeking perspective and advice from members of industry on how to approach securing the software supply chain.
To watch the Red Hat Government Symposium on demand, click HERE.