Aligning to NCS pillars using a secure-by-design approach

This post first appeared on Federal News Network. Read the original article.

The National Cybersecurity Strategy released earlier this year outlines a significant shift in our nation’s approach to supply chain security, raising security standards along every step of the software development lifecycle (SDLC).

As accountability for security expands from IT to developers, organizations responsible for software development are under increased pressure to create and implement secure products. With new technologies emerging daily and collaboration growing, IT leaders and developers alike need to ensure secure development best practices across all programs and software.

A best-practice approach to implementing the new national strategy is to utilize established software platforms that provide immediate support for the National Institute for Standards and Technology’s Secure Software Development Framework and encompass software bill of materials (SBOM) capabilities that help track software components. This step can help prevent agencies from using digital duct tape to string together disparate tools that may not be effective at scale.

Software makers must prioritize a secure-by-design approach, heightening resilience against cybersecurity breaches by ensuring security is built in from the start.

Secure from the start

Every line of code must be secure to reduce risk in the systems that deliver critical government services. This means ensuring complete security at every step of the SDLC — a task best accomplished with a single DevSecOps platform. DevSecOps is more efficient than traditional methods and more secure, as every line of code is validated seamlessly throughout the development process.

Tools that enable streamlined and automated security patching and software licensing checks help smaller teams with restricted budgets better manage processes and give larger organizations more confidence in risk management. As organizations shift left, increasing automation in enforcing policies, applying compliance frameworks, and performing security scans will be essential to make this an attainable reality.

When not consolidated on one platform, more tools mean complexity for developers. This is a growing concern for the public sector — GitLab’s 2023 DevSecOps Report found 49% of government respondents would like to consolidate toolchains. The study found that 44% of respondents use six to 15 or more tools, and nearly one-third reported that maintaining a complex toolchain made aligning with compliances more difficult.

Using a DevSecOps platform integrates security and compliance, streamlining software development while improving the developer experience.

Know what’s in your software — automated SBOMs and beyond

Agencies and organizations working with the government need to fully understand the dependencies of their ecosystem to shift to a secure-by-design approach properly.

Emerging requirements call for agencies to maintain SBOMs, including critical information about the libraries, tools and processes used to develop, build and deploy software. SBOMs empower DevOps teams to identify vulnerabilities and assess and mitigate risks, supporting built-in security and better-informed IT decisions.

As agencies are more frequently looking to utilize SBOMs, it’s important to remember that not all SBOMs are created equal. Organizations should prioritize the ability to automatically generate and continuously update SBOMs, while also connecting with application security scanning tools to create an actionable dashboard based on vulnerability and license information.

In addition to SBOMs, agency IT teams should conduct regular security reviews, examining role-based permissions, data accessibility, administrator system access and patching policies.

Take advantage of your full set of cybersecurity resources

Many existing initiatives, including Executive Order 14028 and the Office of Management and Budget’s memo M-22-09, outline strategies to improve cybersecurity standards. These guidelines are excellent references that can help bolster software developers’ and IT leaders’ progress. Consulting cybersecurity and solution experts when making technical changes is also an alternative for agencies lacking resources or specialized expertise.

The market is changing, security guidance is shifting, and AI is creating new opportunities to optimize efficiencies in code creation – from code writing assistance to expediting vulnerability remediation. The impact of AI on development cannot be underestimated. By identifying and targeting threats, AI will improve security across the entire SDLC.

Prioritizing cybersecurity from the start makes fundamental shifts like reallocating cyber roles and responsibilities manageable. The National Cybersecurity Strategy is ambitious and comprehensive, but it is critical that agencies meet these guidelines and help secure our software, data and national security.

Joel Krooswyk is federal chief technology officer at GitLab Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *