Today, the overwhelming majority of security vulnerabilities are software issues. So when network perimeters eroded and it became clear that traditional network security was insufficient by itself, Software Security Assurance (SSA) became a primary focus of government information assurance and compliance models. Traditional approaches to SSA have been mostly gated approaches via expert testers.
However, increased automation in static and dynamic analysis testing tools allowed agencies to evolve and scale practices to the broader organization to meet growing needs. Now, as the government pushes forward with cloud adoption and DevOps there’s a greater need than ever for cloud-based SSA. With the proliferation of highly automated development operations environments and the accelerated development times they offer, developers more than ever want increased ownership of their own SSA testing to meet the strict security and compliance requirements established in the DISA Security Technical Implementation Guide (STIG) and Risk Management Framework (RMF).
In this industry perspective, GovLoop, HPE and TSPi partnered to discuss the current state of application security in government, the importance of FedRAMP and how it has allowed U.S. agencies leverage the Fortify on Demand service to increase their agility and reduce cyberrisk and costs.