In a recent report, The State of Government Application Security, 2020, Forrester analysts establish that governments are far behind other industries in critical areas of application protection. This finding – backed by the Forrester Analytics Global Business Technographics® Security Survey, 2019 – is especially alarming given the amount of sensitive citizen data housed by government agencies. And, since applications are currently the most common form of breaches, governments need to start investing heavily in application security (AppSec).
For starters, government agencies need to implement prerelease scans to reduce the remediation time of security flaws. By implementing prerelease scans, like static analysis, flaws can be detected earlier in the development lifecycle. But it is not just a matter of implementing occasional prerelease scans. According to Veracode’s State of Software Security Industry Snapshot, government agencies currently scan 90 percent of their applications 12 times a year, which equates to only once a month. Government agencies need to formulate an AppSec program with a regular cadence of frequent scans. Industries that scan applications more frequently find and remediate flaws faster and, as a result, have less security debt.
It is also important that governments embrace DevSecOps practices. DevSecOps is a methodology that introduces collaboration between development, operations, and security. Part of the collaboration involves shifting security to the beginning of the development process. This concept helps save time because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding manual prerelease scans, it is about properly implementing prerelease tools. Here are three things to consider:
- Prepare a business case for prerelease testing of applications that is centered around citizen trust. Make the case for adopting dynamic, static, and software composition analysis based on increasing citizen trust and improving citizen experience. A data breach is a surefire way to erode citizen trust.
- Automate prerelease scans whenever possible and integrate the scans with build tools like Jenkins or ticketing tools like Jira. Automation and integrations help you recognize the benefits of AppSec tests and speed up the remediation process.
- Scan both in-house applications as well as third-party applications. If you neglect to scan third-party applications, an unidentified flaw could compromise your data and negatively affect your customer experience.
Although government agencies are currently falling behind with these vital security measures, with the right products and a little guidance, governments can be caught up in no time. Read the full Forrester report for details on the state of AppSec in government agencies.