Facing DevSecOps hurdles, federal agencies need a modern approach to security

Increased threats mean the government can’t sleep on cybersecurity. Learn how federal agencies can improve their security posture without sacrificing innovation.

Facing DevSecOps hurdles, federal agencies need a modern approach to security

Cybersecurity is no longer a nice-to-have. It’s an imperative for organizations that create, distribute, and manage software every day – especially true for federal agencies as the government moves away from legacy technology in the race to improve user experience and shift to the cloud for greater flexibility. 

In 2020 alone there was a 435% increase in ransomware. And in 2021, the average cost of a data breach reached a 17-year high at $4.24 million. If cyberattacks and their consequences aren’t taking a break, how can government agencies stay resilient against threats old and new without losing steam and how can they modernize DevSecOps to keep pace with innovation? 

We recently discussed these questions and more in a sponsored webinar with ATARC: Fostering Effective DevSecOps with Modern Application Security. The panel of expert guests included:

  • Christopher Crist, Chief of Development, Security, and Operations, U.S. Transportation Command
  • Greg Edwards, Chief Information Security Officer, Federal Emergency Management Agency, U.S. Department of Homeland Security
  • Nicole Willis, Chief Technology Officer, Office of Inspector General, U.S. Department of Health and Human Services
  • Ted Rutsch, Federal Sales Manager, Invicti Security

Watch the full webinar recording below:

The perils of third-party code and hidden threats

Focused on how to weave modern AppSec into DevSecOps, the panel kicked off with a discussion about challenges for integrating security into the software development lifecycle, or SDLC, and what agencies can do to ensure they’re not missing often unseen components, integrations, and open-source elements in their security testing. As Ted noted, it’s first about knowing what you have for assets and what your threat landscape looks like.

After all, you don’t know what to protect if you can’t identify what’s in your inventory. Agencies must have a handle on which assets tie third-party integrations to their site. They also need to incorporate security into the SDLC and existing development programs for full coverage. One of the ways to do so is through an asset discovery tool that offers fast, automatic updates to help make more informed decisions about security. 

But tools are just the tip of the iceberg. As Nicole Willis commented, in order to tackle some of these issues, we also need a culture shift where ‘security as a mindset’ takes center stage and developers have ownership over their part of the process. This contributes to more complete security coverage as everyone operates on the same page with the same goals in mind. 

Always-on, continuous coverage through automation and enablement programs is what helps cover every corner of the application landscape so that when the next dangerous flaw strikes, agencies know what’s in their inventory and they’re ready to step in with effective incident response. 

Shrinking cybersecurity skill gaps and reducing silos

When the ever-important topic of the massive cybersecurity talent shortage was presented to the panelists, it was no surprise to hear that this is a common struggle. Fortunately, it’s an area of AppSec where automated tooling, improved communication, and enablement programs can help bridge the gap.

Christopher Crist echoed the need for a culture shift, adding that security personnel are typically siloed from developers and are more concerned with checking boxes when they should instead actively participate in implementing security throughout the development process. 

Part of the conundrum lies in a lack of effective communication. “We really need the security and development personnel to work collaboratively together to understand each other’s perspectives,” Nicole added. She also noted that the Department of Health and Human Services is working to improve the security know-how of their developers – specifically in the areas of best practices, tools, and cyber hygiene – which will boost collaboration down the road.  

“It’s the age-old war between engineering and security,” Ted agreed. “We’ve seen it time and again where the AppSec team presses a button, runs a scan, delivers a report, and washes their hands of it.” From there, he says, it’s usually on DevOps teams to figure out how to remediate those problems, which is where modern tooling can lend a hand for developers. 

“If you could integrate and automate a lot of that process, pulling in their issue tracking systems and pulling in their CI/CD environments, letting them work in the environments they have today,” Ted continued, “it helps them remediate problems faster, identify problems faster, and in the long run build a stronger website."

While these steps aren’t a quick fix, they add up to increased efficiency, heightened security, and decreased stress for cybersecurity professionals, all of which can help close these lingering skill gaps.  

How to maintain compliance without sacrificing innovation

Another hot topic was centered on satisfying compliance needs for federal agencies, in which AppSec programs and effective tools play a critical role. Greg Edwards, CISO at FEMA, noted just how hard this is to achieve without the right tooling and automation in place to better manage the overall environment. 

There is also an element of distrust, Greg added, when changes to processes interfere with how developers get their work done and contribute to missed deadlines. We need to reframe the issue as freeing up critical time for product improvement instead. “What they should be doing is developing and delivering capabilities in the FEMA world for our survivors,” Greg said, underscoring how imperative it is that developers are able to spend more time on innovation and less time on security. 

Modern security tools that feature interactive analysis (IAST) and dynamic analysis (DAST) integrate with existing developer tech stacks and make it even easier to adopt these critical security processes without delay, combining depth and coverage. They can help satisfy compliance needs through clear and effective reporting, too, giving organizations more visibility across the board.

Federal agency or not, building a successful AppSec program that is always-on and easy to implement is key for modern software development. Gain more insight into what leading-edge web security looks like for government agencies.