The recent Log4j vulnerability showed how quickly a security bug can disrupt not just an industry, but the entire world.
Organizations, especially federal agencies, will always find themselves at some level of risk, but they can also do more to mitigate those challenges. In November 2021, the Biden administration issued a directive through the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to fix hundreds of software and hardware vulnerabilities.
While this effort has created an immediate call for action to fix known security risks, organizations from all industries must continually manage known and unknown threats. A study released in July 2021 found that it took organizations an average of 205 days to fix critical vulnerabilities, a time frame that offers bad actors a high chance of causing significant damage.
Agencies should adopt a more proactive approach to cybersecurity by improving the quality of software code. Let’s take a look at how to do that.
ounce of prevention
Changing the status quo raises some eyebrows, but the truth is that security software must be in a constant state of continuous improvement. Today, our security software operates in an overreactive state that relies heavily on mitigation as soon as the threat arises.
Emphasizing the preemptive approach may not be widely understood outside the security team, especially when the agency has a relatively clean security record. It may be seen as something that isn’t broken, and therefore doesn’t need to be fixed. In this case, it is important to have leadership endorsement at all levels of the agency.
Some of the relevant points that security executives should focus on to change the security culture within their organization include:
- The time and cost savings achieved through preventive measures, such as role-based training and related tools, rather than the potential cost of a serious accident.
- Finding and fixing software vulnerabilities as code is being written results in releases running on time with fewer pretenders from the security team.
- Preparing for potential security risks from the development team and anticipating them for release generally saves time and money.
Shift left from left
Shifting to the left has been common in Agile and DevOps environments for more than a decade. It involves testing small software components as soon as possible rather than waiting until the end of the race.
To generate more secure code, organizations need to start on the left, eliminating common vulnerabilities as soon as possible to create a more secure user experience.
Starting from left to left is a developer-first concept and requires organizations to get serious about upgrading their engineering portfolio, with an eye toward creating high-quality code. Security-aware developers are worth their weight in gold, and need support in the form of job-related hands-on training in secure code as well as the ability to provide the right tools. The opportunity to be mentored by more experienced developers will also enhance an environment in which code is crafted with a security first mindset and the precision required to take software to the next level.
One major area that is often overlooked is user experience; Especially with regard to how users access information.
Security misconfigurations accounted for 21% of cloud-based data breaches in the past year, and amateur clock bugs (like storing passwords in plain text, for example) have taken a huge toll on productivity and customer trust. To avoid these errors, aim for a secure user experience that weaves high security measures into a logical flow. Adding more barriers – complex password requirements, CAPTCHA, a horde of flesh-eating zombies – could turn users away. On the other hand, the leniency with security measures makes the whole point moot.
A successful and secure user experience needs to incorporate high security measures into a logical flow, presented in a way that does not detract from anything compelling about the software.
Improve developer skills
Developers, of course, want to write secure code, but they often lack those skills or need a refresher course. Meaningful training is often overlooked because the daily needs of organizations allow little time to improve skills.
Working with developers, we’ve found that around 75% prefer structured learning on the job rather than opening a guide. They prefer learning by doing and want the training to focus on practical applications, something that most current training programs lack.
Look for any and all opportunities to develop the skills of your developers. They are on the front lines when it comes to stopping weaknesses. Provide them with the appropriate time and resources, knowing that these efforts will pay off big in the future.
Government agencies, in particular, face inherent challenges in keeping their systems secure. They often have to manage legacy systems with little in the way of finances and fight for top talent in an incredibly competitive market. There is no panacea for vulnerabilities, but a proactive and proactive approach that emphasizes customer experience with highly skilled developers can help agencies take important steps forward.