Governance, Risk and Compliance

How to develop faster, better, more secure software 

Today’s columnist, Chris Wysopal of Veracode, writes that last December’s Biden administration EO on transforming the federal customer service experience and service delivery to rebuild trust in government touched on security only in passing. (Photo by Anna Moneymaker/Getty Images)

Some unintended consequences of an executive order (EO) released by the Biden administration in December could pose new challenges in the running battle to hold the line on cybersecurity. While less heralded than last May’s cybersecurity EO, the Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government EO calls for federal agencies to pilot new online tools and technologies that can deliver a “simple, seamless, and secure customer experience.”

The problem: the December EO mentions security only in passing.

The Customer Experience EO will no doubt put pressure on agencies and application developers to speed up the development process in the quest for improved digital services. Those digital services rely heavily on application programming interfaces (APIs), third-party software, open-source applications, and tools that, if left unsecured, can often become pernicious threat vectors. 

The laudable goal of improving government’s delivery of services has, in all likelihood, already spawned a flurry of activity among application development teams across government and in the private sector. Amid this surge of digital services, can agencies meet the challenge of making the .gov experience more like that of private-sector .coms, while also strengthening cybersecurity?

For that to happen, government CISOs and cybersecurity professionals should coordinate with customer experience (CX) and digital services teams to jointly devise plans for attaining the goals set out in the White House’s Customer Experience EO, as well as focus on how best to secure these new applications.

The Challenge of enabling digital services

How do agencies meet security requirements and continue to create enhanced user experiences for citizens? How does government take care of customers (warfighters, agency personnel, and citizens) while making sure not to create new vulnerabilities? 

Therein lies the challenge. Federal agencies and their software developer partners have long grappled with the question of how public-private partnerships can deliver world-class, application-enabled citizen experiences – without sacrificing security and privacy? The core of that question presents a conundrum of software development: the binary tension between speed and security.

Traditional wisdom held that developers could build an application quickly or securely – but not both. To save time, developers frequently bolted security on to software as the final step of the process, without considering how it would integrate with the app or other security tools in-house. As demand has risen for faster delivery of applications that are more secure and more user-friendly, the tension between speed and security in software development has been stretched as tight as an over-tuned banjo string. 

According to our 12th annual State of Software Security (SOSS) report: to move faster, many development teams have turned to cloud-native technologies, microservices architectures, and open-source code to accelerate and scale their efforts. Additionally, development teams have adopted agile methodologies and are automating as many steps in the development process as possible. While this evolution increases the speed of the software development lifecycle, it also introduces new complexities and risks. 

The importance of application-layer security  

Development teams need to focus on application-layer security that’s baked into software during development – not bolted on as an afterthought. For that to happen, the security phase of application development must “shift left” in the process. In a functional DevSecOps environment, security becomes integral to development at every stage of the software development lifecycle.  

Security teams need a software development process that mitigates the risk of security breaches through rigorous and comprehensive analysis – and consistent AppSec governance. For that to happen, developers must have a centralized view into application status across all testing types, including static analysis, dynamic analysis, software composition analysis, and manual penetration testing. Rather than a one-size-fits-all approach, an ideal solution would embed security into software development by leveraging different solutions at every stage of the software development lifecycle (SDLC). 

Finally, delivering those capabilities by way of a scalable SaaS model – a comprehensive security platform that offers continuous software security testing – offers a highly-effective, flexible, cost-efficient service. Using a single platform enables orchestration of security testing and monitoring, from the design phase through build and deployment. 

It's critical to build in ease-of-use. Both security and developer teams need to use platforms quickly and without friction. They must build on adaptable platforms open to integrating other analysis plugins (to keep pace with evolving technology) and provide comprehensive coverage. Finally, platforms must deliver a full understanding of risk, prioritized remediation guidance, and the ability to define and monitor progress objectives across many dimensions. 

Closing the security gap 

On the plus side, developers are taking action to ameliorate the risk. During the past 10 years, the number of new applications scanned by organizations, on average, has tripled, according to the SOSS report. During the same period, the report says 90% of applications that had been scanned two or three times a year in 2011 are now scanned at least weekly, with the majority scanned three times a week.  

Moreover, the SOSS report indicates that organizations are increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritizing the flaws that put them most at risk. Though vulnerabilities are introduced as part of the development process, the data suggests that finding and fixing vulnerabilities has become just as much a part of the process as improving functionality. 

As agencies continue this rapid pace of development to support the citizen experience, integrating security from the start should become embedded in development protocols. For that to happen, they must assess their development tools and processes to ensure they can guarantee secure apps at every stage of development.

Chris Wysopal, co-founder and CTO, Veracode

Chris Wysopal

Chris Wysopal is Chief Technology Officer and co-founder at Veracode. He oversees technology strategy and information security. Prior to co-founding Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software. Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.