The software security landscape has drastically evolved over the past few years. Think back to the start of COVID-19. The sudden shift to virtual operations expediated digital transformations. Government agencies now have to release new digital products and services in tighter timeframes, causing public sector leadership to choose between speed of deployments or verifiably secure code. The data says it all... According to research conducted by the Enterprise Strategy Group (ESG), 85 percent of organizations push vulnerable code to production and 54 percent do so in order to meet critical deadlines.
This need for speed isn’t only driving government agencies and contractors to push vulnerable code to production – it’s changing the way applications are developed. Increased reliance on microservices and open-source libraries means that applications are assembled as much as they are written. This is made evident in version 12, our most recent, State of Software Security (SOSS)report by an increase in the number of applications scanned as well as a pivot to one-language applications. The same report also highlights that organizations are scanning more than triple the number of apps scanned per quarter a decade ago. And over the past four years, organizations decreased their use of applications with multiple languages from 20 percent down to less than 5 percent.
The same State of Software Security report observes increased use of open-source libraries, which are incorporated into 97 percent of Java applications. By leveraging open-source libraries, developers supporting every mission in government can concentrate on customizing code to set their software apart. However, far too many developers aren’t scanning their open-source code for vulnerabilities. And those who do are taking their time to remediate the vulnerabilities. Our State of Software Security: Open-Source Edition report found that a staggering 79 percent of software developers never update libraries that are in the codebase. By not updating open-source libraries in your codebase, you are leaving your software vulnerable to a cyberattack. Consider the recent SolarWinds attack or Log4j vulnerability. Both were the result of exploited open-source libraries.
The SolarWinds attack, which impacted tens of thousands of customers including the federal government, sparked the Executive Order on Improving the Nation’s Cybersecurity. The Executive Order outlines security requirements for vendors selling software to the U.S. government.
To meet the requirements of the Executive Order and other recent mandates, federal agencies need to work toward securing the software supply chain and adopting a zero trust security strategy – a security model that allows organizations to restrict access controls to networks, applications, and environments. Furthermore, these security controls must be adopted without impacting the performance of applications or the user experience. Success will mean federal agencies will have to develop public-private partnerships committed to collaboration, information sharing, and the security of the software supply chain.
Keeping up to date with cloud security initiatives while complying with the latest mandates and remaining competitive with the speed of software deployments may feel daunting, but that’s where Federal Risk and Authorization Management Program (FedRAMP) authorizations can help. FedRAMP serves as the “gold star” of cybersecurity standards in the public sector. As agencies move more IT functions to the cloud, FedRAMP enables cloud service providers to meet specific security requirements, such as those embedded in the Federal Information Security Management Act and the National Institute of Standards and Technology (NIST) publications. This will enable federal agencies to outsource with the confidence that their cloud provider partners are meeting those requirements.
Announcing FedRAMP with Full Authority to Operate
Veracode is proud to announce that we have officially received FedRAMP authorization to support agencies across the federal government with a cloud-based security platform to deliver enhanced protection. FedRAMP authorization validates that we meet the government’s rigorous security and risk assessment standards -- and broadens opportunities for government agencies to find and adopt cloud services that are compliant.
What This Means for Federal Agencies
We are proud to say that we are an American-owned comprehensive software security platform in the FedRAMP marketplace. With our FedRAMP authorization, federal agencies are now able to take advantage of a solution that provides visibility into application status across static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA), in one centralized view. We have also been named a Leader for the ninth time in the 2022 Gartner® Magic Quadrant™ Application Security Testing.
With our comprehensive software security platform, federal agencies can address application security throughout every stage of the software development lifecycle, enabling development and security teams to move security to the earliest stages of the development process (also known as “shifting left”). This is a key component of implementing zero trust principles across the entire software development lifecycle, bringing agencies into OMB compliance, supporting NIST’s Secure Software Development Framework (SSDF), and meeting the May 2021 Executive Order on Improving the Nation’s Cybersecurity.
How Veracode Can Help
FedRAMP is a signature when it comes to public-sector cybersecurity standards. The best way to ensure mission success, while delivering best-in-class customer experience and maintaining compliance, is to leverage a complete platform solution that has FedRAMP approval.
The solution? Meet zero trust compliance with the most comprehensive FedRAMP authorized solution for application security: Veracode.
GARTNER and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.