This post is an excerpt from our new 10-minute, self-paced course, How to Secure the Software Development Lifecycle.
The rapid rise in government applications has created significant benefits for the public sector. But while software applications are transforming government, they are also expanding government’s technology footprint and, because of that, the potential for cyberattacks.
To ensure every application at your agency is secure, you must ingrain security in each cycle of development – not just deployment. No matter what process management approach your agency uses to create applications, there are four main stages of software evolution – development, testing, deployment and monitoring.
Phase 1 – Development
This is where the application or software is ideated and created. Finding and fixing application security issues in this early stage is far less costly than waiting until after an application has been deployed, so empowering developers to create secure software from inception is critical.
To do this, create static assessments that are fully integrated within the environment where developers work, providing them immediate feedback during creation. And if you add open source component analysis, developers will receive automated alerts for known vulnerable components. Audited scan results, including line-of-code details and remediation advice, help drive secure coding best practices.
Phase 2 – Testing
Once an application is created, it should be further tested before it’s released in a live environment. Even if you included security in your design, it may meet new challenges in a real-world situation.
A dynamic or mobile assessment of the running application in a QA, test or staging environment simulates the real-world hacking techniques employed by potential hackers.
For web applications and web services, use dynamic assessments. These employ a combination of automated and manual testing techniques to crawl the application attack surface and identify exploitable vulnerabilities before an application release is deployed to production.
Similarly, mobile assessments employ a combination of automated and manual techniques to identify vulnerabilities across all three tiers of the mobile ecosystem-client including the device, network, and backend services.
Phase 3 – Deployment
With these tests completed, it’s time for deployment. But inevitably, not all vulnerabilities can be remediated for every application before it goes live. Misconfigurations in production environments can introduce issues not present in pre-production, and new zero-day vulnerabilities arise in between release cycles.
As soon as your application is live, repeat your tests to ensure everything is secure and working properly. But don’t assume these one-and-done tests are the end of your security requirements.
Phase 4 – Monitoring
Because technologies and cybersecurity threats constantly evolve, you’ll also want to ingrain security via monitoring.
A robust production monitoring regimen includes continuous dynamic scanning for vulnerabilities and risk profile changes, discovery of rogue applications, and run time detection of security events in the application itself.
These tasks, plus the security testing required in the early stages of application development, are critical. But they can be time-consuming and they require expertise to deploy correctly. That’s why many agencies leverage application security services.
To learn more about software application security, watch our GovLoop Academy nano course, here.