Rather than ripping and replacing legacy systems, agencies are increasingly creating software applications to modernize their services.
This rapid rise in government applications has created significant benefits to the public sector. New applications help agencies better meet constituent demands for streamlined, multichannel experiences. They can also be developed to provide public servants with innovative digital tools to do their jobs more efficiently. Not to mention, agencies are cutting costs by applying software solutions to existing infrastructure, instead of undertaking larger hardware replacements.
But while software applications are transforming the face of government, they are also expanding government’s technology footprint and with it – the potential attack surface.
Each deployed application creates a new entry point into agency networks and the data within them. That means they must be secured to ensure they don’t become a new vulnerability. And that requires more than simply placing software behind firewalls or applying other one-off security protocols.
Applications must be protected across all phases of the Software Development Lifecycle – including code development, testing, deployment and ongoing use – to make a Software Security Assurance program successful.
Not only does this comprehensive approach enhance security, it is also proven to be the most cost-effective way to ensure policy execution, compliance and on-going enforcement. Yet only 20 percent of Enterprise Security architects today are integrating application security into the Software Development Lifecycle.
There are a lot of reasons application security is overlooked. For one, the application development cycle is rapid – which is great for getting applications to market quicker but can also mean that time isn’t allotted to properly vet security.
That also increases the portfolio of applications that agencies need to secure. Security professionals must protect legacy applications, certify new releases of software developed in-house using custom and open source code, and ensure the security of outsourced and commercial off-the-shelf applications as well.
With the scope and complexity of applications rapidly increasing, it’s easy for agencies to let application security lapse. But that’s not a risk that government can afford to take, given the potential for nefarious actors to use unsecure applications as gateways into networks.
To learn more about this setup and why it makes sense for government agencies, watch our recent self-paced course How to Secure the Development Lifecycle.