Reducing security debt

To provide critical services and information to citizens, federal agencies need secure and reliable software that manages everything from tax returns to veterans’ health records to government benefit programs. 

A string of cyber intrusions and significant software vulnerabilities over the last three years have threatened the delivery of government services to the public. Software vulnerabilities not only threaten the effective delivery of services but put at risk the integrity of vast amounts of personal information and business data that is managed by the government and private sector. 

With the cost of a data breach averaging $4.35 million—and some reports expect that number to surpass $5 million per incident in 2023—agencies must take measures to minimize the introduction and accumulation of security flaws in their software. Remediation efforts should begin early because an application is likely to have accumulated flaws from the moment it goes into production and these increase over the course of deployment. 

In fact, there is a 90% chance an application will contain at least one flaw by the 10-year mark, according to Veracode’s State of Software Security 2023 Report. The report found that flaw build-up over time is such that nearly 32% of applications are found to have flaws when they first move into production and by the time they have been in production for five years, nearly 70% contain at least one security flaw—and usually many more. 

Finding and fixing flaws 

Scanning frequently using a variety of tools helps agencies find and fix flaws and vulnerabilities that may have been introduced or built up over time. Additionally, federal agencies must automate security scans and invest in developer security training. Training will help developers better understand how to code securely, thereby avoiding the introduction of flaws altogether. 

Moreover, a comprehensive software security program and appropriate tools must be integrated early into the software development lifecycle, incorporating change management, resource allocation, and organizational controls to mitigate risks. 

Scan cadence, automating the initiation of scans and developer security training are beneficial for reducing the probability that flaws will be introduced over the lifetime of an app. Implementing a comprehensive software security program across an organization allows leadership to learn whether specific flaws occur frequently across teams and whether specific teams need more training, allowing for the development of effective programs. For a quicker return on the time investment, DevSecOps teams should consider targeting the top flaws and common weaknesses for the languages in use in their agencies. 

To figure out which flaws should take precedence on a remediation “to-do” list, the security team should consider the severity of the defect, the criticality of the application, and how easy it would be to exploit the flaw. If the development and security teams determine which flaws pose real and immediate risk, they can create an application security policy to stop deployment of an app whenever a flaw is introduced in those categories.  

For example, an app security scan uncovering a SQL injection flaw can “break the build,” forcing the developer to fix the flaw prior to pushing updates to production. An injection flaw can allow an attacker to relay malicious code through an application to another internal system, allowing an attacker to compromise that system.  

Open source, SBOMs and SCA 

Meanwhile, with the recent focus on the Software Bill of Materials , now is the time to examine factors that can introduce risk in the world of open-source software. It is estimated that up to 70% of the code that makes up the modern application is open source. The White House’s Executive Order on Improving the Nation’s Cybersecurity mandates any company selling software to federal agencies to provide a complete SBOM, which is a comprehensive list of the software components that comprise their applications. 

Developers today build their applications using libraries completely outside their control. This process establishes dependencies for basic functions that an application may need. Some of these dependencies then introduce further dependencies, which can open the door to even more risks. 

An SBOM does not necessarily directly inform developers and security teams about vulnerabilities in their components. However, they can use a software composition analysis (SCA) tool to cross-reference those components with known vulnerabilities and license risks, determine direct and indirect dependencies, and offer remediation guidance. 

Strengthening application security 

The choices DevSecOps teams make early in the software development lifecycle can measurably improve their organization’s security posture in the long run. In any given month, there is a 27% chance that new flaws will be introduced in an application, according to the State of Software Security 2023 report. Frequent application scanning, diversified methods of testing, and hands-on developer education and training can help reduce both the probability and volume of flaw introduction and improve agencies’ application security programs.