Creating a framework for secure-by-design software development
Connecting state and local government leaders
COMMENTARY | State and local IT leaders can proactively address potential threats by prioritizing throughout the development process, regularly evaluating data security policies and keeping an inventory of software components.
Government agencies are under more pressure than ever to ensure that constituent information stays safe and secure. In the midst of a constantly evolving threatscape, agencies must build software that is secure by design to proactively defend against potential cybersecurity risks.
This is an ambitious request for state and local IT leaders. The federal government offers state and local agencies a helpful starting point through guidelines like the National Institute of Standards and Technology’s, a valuable resource for organizations of all sizes in every sector.
The secure-by-design process can be simplified into three main steps: integrating security throughout the software development lifecycle, conducting regular comprehensive data security reviews and maintaining a record of every component in the agency’s software ecosystem with a software bill of materials.
Integrate security throughout the development process
While the public sector has made strides to ensure that all software is developed with security in mind, there is still an opportunity to better incorporate security protocols within existing development frameworks. The White House’s recently released National Cybersecurity Strategy, for example, promotes secure development practices as a way to tackle the increasingly complex and challenging threat ecosystem.
To make progress against this ambitious strategy, state and local IT leaders should consider implementing DevSecOps tools and methodologies that ensure security is integrated into every step of the software development lifecycle, from ideation to deployment. A comprehensive DevSecOps platform can seamlessly integrate tools for security testing, patching and software licensing, thereby reducing the number of tools, licenses and disparate interfaces in an organization’s tech stack. This allows developers to test every line of code without further adding external tools that can create additional handoffs, security risks and silos.
A recent GitLab study found that two-thirds of respondents want to consolidate their software development toolchains, citing difficulty drawing insights from disparate tools and managing compliance and monitoring. The report also found that 50% of respondents working in the public sector use two to five tools for software development, with 31% using between six and 10. By consolidating toolchains, developers can spend less time managing tools and focus on delivering secure software efficiently.
Conduct a comprehensive data security review
Ensuring software is secure by design requires regular, comprehensive data security reviews, enabling agencies to proactively identify and address potential risks. The first step in this process is conducting a role-based permissions review, which helps leaders understand which users can access specific systems and information. The review should reveal complete awareness of what users can do, as well as when and where they can access information.
The process also includes reviewing administrators with system access and ensuring administration policies are up to date. IT leaders then must verify data accessibility, both by connected applications and direct access, and ensure that all connections are encrypted. Finally, a data security review should ensure a proper installation, patching and version policy.
Security policies should be enforceable and actionable to protect platforms, applications and the data they access. As a general rule, applications should never be more than three minor revisions or three months behind the current version. Agencies should also ensure that all critical security patches are automatically applied when made available.
Maintain a software bill of materials
Even when security is built into every step of the process, developers must still validate the code, especially when it may be generated from different sources or may be used elsewhere in the future. One critical tool for secure software development is a software bill of materials. A SBOM is an inventory of the components that make up an application, including information about the libraries, tools and processes used to develop the software.
Maintaining this inventory is important so agencies can fully understand potential vulnerabilities that could arise when elements are lifted from open-source repositories and licensed third-party components. A DevSecOps platform can help automatically generate and update SBOMs and integrate them into existing workflows, where they can seamlessly connect with security scanning tools.
While SBOMs are not a new concept, federal guidelines now recommend and require their usage in federal agencies, setting the stage for adoption in state and local IT departments as well. State and local IT departments will see the most value from SBOMs that integrate vulnerability identification and licenses into an accessible, actionable and regularly updated dashboard.
The NIST framework and National Cybersecurity Strategy give agencies a critical starting point for building a strong security foundation, but state and local IT managers can take their security framework one step further by adopting secure-by-design protocols. By ensuring that security is made a priority throughout the development process, regularly evaluating data security policies and keeping an actionable, accessible inventory of software components, agencies can maintain a healthy security posture and proactively address potential threats.
Joel Krooswyk is federal CTO at GitLab Inc.
NEXT STORY: Don’t fear AI, but prepare for its wider use