The recent Log4j vulnerability showed just how quickly a security bug could disrupt not just an industry, but the entire world. Organizations, especially federal agencies, will always find themselves at some level of risk, but they can also do more to mitigate those challenges. In November 2021, the Biden administration issued a directive through the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to fix hundreds of software and hardware vulnerabilities.
While this effort created an immediate call-to-action to patch known security risks, organizations from all industries must constantly manage known and unknown threats. A study released in July 2021 found it took organizations an average of 205 days to fix critical vulnerabilities, a timeframe that provided bad actors a wealth of opportunity to conduct serious damage.
Agencies must adopt a more proactive approach to cybersecurity by improving software code quality. Let’s look at how to do that.
An Ounce of Prevention
Shaking up the status quo does tend to raise a few eyebrows, but the truth is that security programs should be in a constant state of continuous improvement. Today, our security programs work in an overly reactive state that relies too heavily on mitigation once a threat has emerged.
Emphasizing a preventative approach may not be widely understood outside the security team, especially when an agency has a relatively clean security record. It might be seen as something that isn’t broken and, therefore, doesn’t need fixing. In this instance, getting leadership buy-in at all levels of an agency is important.
Some pertinent points security executives should emphasize to change security culture inside their organization include:
- The time and cost savings achieved through preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident.
- Finding and fixing software vulnerabilities as code is written keeps releases on time with fewer showstoppers from the security team.
- Preparing for and preempting potential security risks from the development team to release saves time and money overall.
Shifting Left of Left
Shifting left has been popular in Agile and DevOps environments for over a decade. It involves testing small software components as early as possible rather than waiting until the end of the sprint.
To create more secure code, organizations need to start left of left, eliminating common vulnerabilities as early as possible to create a safer user experience.
Starting left of left is a developer-first concept and requires organizations to get serious about uplifting their engineering cohort, placing emphasis on the creation of high-quality code. Security-aware developers are worth their weight in gold, and they need support in the form of job-relevant, hands-on training in secure code as well as the ability to provision the right tools. The opportunity to be mentored by more experienced developers will also foster an environment where code is crafted with a security-first mindset and the precision required to take software to the next level.
One key area that often gets overlooked is the user experience; particularly with regard to how users access information.
Security misconfigurations accounted for 21% of cloud-based data breaches in the past year, and amateur-hour errors (like storing passwords in plaintext, for example) resulted in serious productivity and customer trust losses. To avoid these errors, aim for a secure user experience that weaves tight security into a flow that makes sense. Adding more barriers—complex password requirements, a CAPTCHA, a horde of flesh-eating zombies—can turn users away. On the other hand, getting too permissive with security measures renders the entire point moot.
A successful, secure user experience needs to weave tight security into a flow that makes sense, presented in a way that doesn’t detract from anything compelling about the software.
Improved Developer Upskilling
Developers, of course, want to write secure code, but they often lack those skills or need a refresher course. Meaningful training too often gets overlooked as the day-to-day needs of organizations allow for little time to improve skills.
In working with developers, we’ve found that about 75% prefer structured on-the-job learning instead of opening a manual. They would rather learn by doing and want training focused on practical applications, something that most current training programs are missing.
Look for any and all opportunities to upskill your developers. They are on the front lines when it comes to stopping vulnerabilities. Provide them both the time and right-fit resources, understanding that these efforts will pay considerable dividends in the future.
Government agencies, in particular, face inherent challenges in keeping their systems secure. They often must manage outdated systems with few financial resources and fight for top talent in an incredibly competitive market. There is no panacea for removing vulnerabilities, but taking a proactive and preventative approach that emphasizes the customer experience with highly skilled developers can help agencies take significant steps forward.