Gartner estimates 80 percent of all attacks are at the application security layer-making it critical that federal organizations get ahead of the legacy application issues and the development of new applications.
On this episode of CyberChat, host Sean Kelley, former EPA CISO, is joined by Nick Sinai, senior adviser at Insight Venture Partners and Matt Rose, director of Application Security Strategy at Checkmarx.
“There is a huge effort and focus on cybersecurity in today’s environment. The Modernizing Government Technology (MGT) Act has been approved and IT modernization plan is part of the President’s Management Agenda. We are really seeing greater integration of cyber security with IT modernization,” Sinai said.
But does that mean we are more secure?
“To become more secure, organizations really have to support one another. There has to be robust partnerships within the government and contracting community. There has been increasing focus on DevOps and how the federal government builds applications, coupled with increased user centered design,” Rose said.
The government is also grappling with how to deal with data security and encrypting data at rest.
Agile development also brings another capability embraced by federal executives. “More and more CIOs from the White House and federal agencies are talking about agile and DevOps and really putting user needs as that core,” Sinai said.
Sinai added the federal government is going to continue to build or build with contractors and, in those cases, IT has to deliver more continuously in smaller sprints, rather than quarterly or annual deliverables.
Rose said developing and maintaining an application threat inventory is critical. “A lot of times when an organization is asked about their riskiest application, they don’t know the answer. Develop a process to maintain a threat inventory,” Rose said.
- There is integration of IT security and modernization – especially with this administration.
- Developers should include and information security in process to include “continuous monitoring” rather than “security gates” within applications.
- Industry and government should focus more on DevOps.
- Scrum sessions allow stakeholders to articulate requirements up front.