Federal agencies need to make new software available quickly in order to meet emerging mission needs and rising constituent expectations. At the same time, they must protect their systems and processes.
It’s an inherently difficult situation. If the code behind a new application has flaws, adding code for cyber defense on top of it “is not necessarily bringing you more security,” said John Allison, Director, Public Sector, with Checkmarx/TD Synnex. “With the money you spent to buy a firewall, would that … have been better invested in application security, [in] the original application you’re trying to secure?”
Agencies are under pressure to get this right. The National Cybersecurity Strategy calls for “secure development practices” related to software, while documents such as the Secure Software Development Framework from the National Institute of Standards and Technology likewise call for robust security throughout the application-development process.
AppSec Testing During Development
So how can agencies release new applications without creating new vulnerabilities? They can embrace a cloud native platform for application security testing during the development phase.
Testing the security of applications during their development “benefits not only the federal agencies, but the end users as well,” Allison said. Constituents can interact with government safely, knowing their personal data is secure, “and agencies are not waiting for delivery to find out that there are critical flaws, and then having to address those after an application has already been delivered.”
Seeing Your Application Security Mistakes
The comprehensive Checkmarx One cloud-native application security platform offers agencies the testing they need throughout the software development life cycle. With a holistic set of scanning engines and analytics to help developers discover and remediate vulnerabilities in their preferred workflow, “it offers near real-time response: ‘Here are the mistakes you made, here’s what you may have overlooked,’” Allison said.
And with the ability to support teams in multiple programming languages, the AppSec platform “integrates seamlessly in [agencies’] build process, so as to not disrupt their workflow,” he said. “And it gives leadership a single dashboard to see where everything’s going.”
The platform includes a risk prioritization indicator — so developers can focus their efforts on an application’s most critical vulnerabilities first — and a policy management tool that helps agencies comply with relevant requirements.
Considering Contractor Security
In addition to securing their in-house efforts, organizations can leverage Checkmarx One to ensure that applications built by outside contractors are secure.
“Agencies can mandate application security requirements as part of the processes that their contractors need to meet when developing software,” Allison said. And they can go even further, building fee structures that incentivize contractors to reduce the number of security issues in their applications, before they deliver to the government.
“Fixing software after it’s delivered is always more complicated and expensive. Let’s raise that bar before delivery,” he said. For agencies moving in this direction, “Checkmarx is great for helping contractors meet those contractual obligations.”
This article appeared in our guide, “Agencies of the Future: How to Break Down Barriers to Growth.” For more about how governments are embracing change, download it here:
Leave a Reply
You must be logged in to post a comment.