Public sector organisations face considerable pressures when developing software to underpin essential citizen services. Delivery timeframes are short, budgets are tight, skills are scarce, and security is paramount. Many public sector organisations often employ experienced contractors to offset the shortage of in-house skills, but this can bring its own challenges when it comes to ensuring consistent security discipline. Contractors often have their own way of doing things and do not always have the security expertise to match their coding abilities.
Creating a Consistent DevSecOps Environment
An effective solution is to set up the development environment to intrinsically incorporate security testing by deploying a security testing platform that runs in the background of everything developers do, and alerts to instances of vulnerable lines of code. By making security testing intrinsic to development, vulnerabilities are identified earlier and are easier, less costly, and less time-consuming to fix.
Adopting a software security testing platform means that, when developers join the team, they are entering an environment that is already built to deliver a level of application security that meets the external compliance requirements and internal risk appetite of the organisation, with the tools in place to support this.
When selecting and implementing an application security platform to deliver this assurance, these are the five key things to consider:
1. Acknowledge there is no silver bullet for application security.
Building secure applications will always be a combination of technology, people, and process. If you view this as buying a piece of software to fix a problem, it will fail. It must be an enabling tool within a culture that sees security as an integral part of DevOps and wants to build software that incorporates cybersecurity and compliance by design. An application security platform will work in partnership with development teams to reduce inherent risk, but the team needs to be on board with the expectations of secure development that will ensure software is safe.
2. Consider the environment as much as the coders themselves.
This is particularly important in the face of high developer churn when it is hard to secure skills from one project to the next. By creating a structured environment that includes security checks and balances at every stage of the software development life cycle (SDLC) you add value to the developers’ skills and design your own best practice for secure software delivery that becomes the standard, regardless of the different individuals that build software within it.
3. Choose a solution that integrates fully into CI platforms.
No one sets out to write vulnerable code, but developers often lack empowerment. By choosing a platform that uses automation and provides guidance for developers on how to fix security vulnerabilities, you give greater ownership to developers for the security aspect of their work. It gives them the opportunity to increase their security skills and helps them fix issues in real-time, while keeping the security process overhead minimal.
To encourage adoption, the security platform needs to deliver the results of code scans in the way developers want to receive them. Any attempt to introduce new stages or processes will result in pushback, making return on investment slower to achieve. If a developer is using GitLab, for example, the scan results should be delivered back into GitLab. The AppSec platform needs the flexibility to integrate with whichever environment the developer is using.
4. Understand security risk in the context of your business.
There is no universal index that says a risk that is acceptable to one organisation will be acceptable to another. You need to assess the impact of security risk that’s inherent in the software you build and determine what is acceptable and what isn’t, then develop a risk management framework to overlay on the software security platform with automated rules that alert teams to the introduction of unacceptable risk.
It’s also important to remember that risk management is a continuous process, not a one-time exercise, and should be subject to frequent review as new risks and vulnerabilities emerge.
5. Choose a platform with strong compliance credentials, flexibility, and coding best practice.
The security standards applications need to satisfy are often determined by the compliance landscape the organisation operates in. From GDPR to HIPAA, and PCI DSS to Sarbanes-Oxley, there are a raft of regulations – both domestic and international – to consider. The software security platform needs to be configurable to support the fast development of compliant applications. As ever, speed is critical. If the software security platform takes six months to fine-tune for the compliance environment, this delays the time to value and achievement of ROI.
Even if the application is not directly governed by regulations, it is best practice to consider lists such as OWASP Top Ten, SANs Top 25, and CERT coding standards. Using a platform with tools that can map to these standards and create custom, organisation-specific templates to support secure and timely software delivery provides a vital level of assurance.
Choosing the right software security platform is an important step towards building secure applications without compromising the way developers want to work. As part of a culture that emphasises the importance of security, it creates confidence that public-facing applications are able to protect the personal data of the citizens they serve.
To find out more about how the Checkmarx software security platform can help public sector organisations deliver secure applications, fast, download our eBook here.