In an attempt to improve the security of the Department of Defense (DoD) supply chain, the Pentagon recently released new cybersecurity standards for its contractors. While I’ll be taking a deeper dive into those standards in a future article, they do illustrate the importance of securing the supply chain for the DoD, and they should have contractors starting to think more about how secure their processes and practices are.
Take application development, for example. If your company develops applications that could be used by the DoD or other government agencies, there are some serious questions you should be asking.
Do developers at your company keep security top of mind when coding? Do they have training in secure code development? Do they have the tools to develop code securely? If they find a security issue, can they quickly fix the issue in all instances throughout a large-scale application? If they use open-source code, do they verify its security?
While many shops can answer “yes” to all of these questions, many others struggle with secure application development. Although the situation is improving, security is often absent from training curricula for development; even those who want to write secure code may simply not know how.
There are products, however, that address these issues. Some will alert coders to security problems in real time, as they are typing code, a kind of hyper-sophisticated “spell-check” for programmers. If they find a problem, and fix it, they also have to make sure to eliminate it everywhere it appears in a large-scale application, and there are systems that can do that, too.
As I described in an earlier article, supply chain risks are growing quickly: do you know if the code you downloaded from GitHub is safe to deploy? Once again, look to the fast-growing application security industry for a solution.
When I ran security programs at federal agencies, I saw – too often – that security was an unwelcome afterthought for many developers. However, with increased attention to cybersecurity in the government and in the public eye, the situation is improving. Developers have a wealth of powerful tools to minimize, or even eliminate security holes, both in their own code, and the code they use from other sources.
Increasing application security in the DoD supply chain
Don Maclean
Serving as the Chief Cyber Security Technologist at DLT, Don is responsible for formulating and executing DLT’s cyber security portfolio strategy. Within the cyber security community, Don is a leader and mentor, frequently participating in programs such as the DoS Cyber Online Learning sessions and serving as an active member of the Cloud Security Alliance.
Next Article
