For IT professionals who develop the technologies, applications, and services that federal, state, and local government agencies employ, there is one specific challenge that they always find themselves brushing up against. When government agencies request new applications and expect them to be up and running quickly, developers are instantly placed into a precarious balancing act of rapidly delivering products and services to the agency and its constituents without introducing cyber risks and vulnerabilities into the agency and its networks.
Couple that with the overarching wave of digital transformation spreading across the government – and society in general – and demand for digital solutions is higher than ever. This increased need for services and the speed in which they’re expected to be delivered has made this tightrope act even more complicated for government application developers.
Last month, Cisco AppDynamics held a special online panel event to explore the current state of application security (AppSec) and examine what government developers are experiencing as it pertains to ensuring the security of newly developed and deployed technologies. The panel also delved into today’s AppSec threat landscape and the current software risks government agencies are facing.
Speaking at the event were Inrupt’s Chief of Security Architecture, Bruce Schneier, Cisco Talos’ EMEA Lead, Martin Lee, with AppDynamics’ Senior Director of Product Management AppSec and Observability, Randy Birdsall serving as moderator. Together, these incredibly experienced and knowledgeable application and security professionals took a deep dive into the threats facing government applications and networks, and explored what application developers can do to keep their agencies and constituents safe.
Current State of AppSec
As government agencies continue to drive ahead into the age of digital transformation, they are implementing new development tools and practices that are accelerating the rate of delivery of new services and capabilities. As the number of applications being used across the enterprise increases exponentially, government agencies’ attack surfaces are getting larger, inevitably leading to a higher likelihood of breaches, attacks, and other cyber threats.
Another impactful trend that organizations are facing is the drastic outnumbering of cybersecurity professionals – who often sit outside the agency they are serving – by application developers. When cybersecurity teams have to thinly spread their resources across government agencies, developers themselves have to make up for the lack of support by adding AppSec responsibilities to their duties.
This imbalance not only creates a massive workload for security and development teams, but it places government agencies’ networks and systems at risk for breaches and hacks if new applications are not properly secured. It also fosters a reactive approach to cybersecurity; fixing vulnerabilities that could have been resolved during development post-deployment.
According to Bruce Schneier, “We’re spending a lot of time dealing with problems that happen after the software has been released.” When asked what his solution would be, in a perfect world, he responded, “I think this whole area is really ripe for automation. And if we can get some kind of semi-intelligent auditing decision-making happening in real-time as it’s being deployed, we can flag a lot of things and then fix them.”
In Martin Lee’s eyes, it’s important to realize the risk human error can pose to application development and security, and that finding technologies and solutions that assist government agencies in automating AppSec is critical.
“Through human ingenuity, the bad guys are discovering the various criminal business models that you can use to make money from these things,” said Lee. “Software is a wonderful thing. All these applications that make our modern lives possible are absolutely amazing. But they’re still being written by people. There’s still mistakes in them. And now we have an entire criminal industry devoted to finding those mistakes and try to make money from them.”
The current threat landscape facing developers
When asked what the number one cybersecurity threat that organizations are currently facing, Lee did not hesitate to answer: “ransomware.” “We’ve known how to combat ransomware,” he said. “We know how to do this. And it’s incredibly frustrating that it’s still a problem.” To Lee it is critical that organizations “know about ransomware and know how to protect themselves against it.”
Another common organizational attack vector that cyber hackers are constantly seeking to take advantage of are vulnerabilities that reside in open-source libraries and third-party software supply chains. All developers utilize open-source code and software as the bedrock of their application development lifecycles. Since deploying applications that include open-source code is commonplace in the development community, there has historically been a “good-faith” attitude towards open-source libraries.
For example, since developers mostly likely do not want to write an operating system from scratch, when developing applications, they turn to open-source and third-party libraries for the fundamentals so they can focus on writing the software that sits on top of it. Unfortunately, after the infamous events of last year’s exploitation of the Apache Log4j vulnerability, developers can no longer place blind trust in these libraries, furthering the need for government agencies to shift security left and adopt a DevSecOps approach to application development.
“The problem that comes when we are all taking from the same pool of third-party software is when a vulnerability is suddenly discovered in that software, you find a library, which is widely used in all sorts of products that you would never have guessed, has a vulnerability that can be exploited by the bad guys,” said Lee. “And then suddenly, not only do you have to patch your own software where you know that that vulnerable library or vulnerable functionality has been included…but then you’ve also got all sorts of other bits of software that you also need to patch because they’re also relying on the same thing.”
Lee warned that, although third-party software and open-source libraries provide a great service to developers, they are also a double-edged sword that is accompanied with risks that government agencies need to take into account.
Schneier had a more critical viewpoint of open-source libraries and believes that there must be developer community-led initiatives dedicated to the evaluation and security of this type of software. “Modern software might have dozens of these [open-source vulnerabilities],” said Schneier. “You don’t know what they are, and vulnerabilities in them percolate up. This is not something that open-source is going to magically solve…We have a lot of poorly maintained, not-looked-at open-source libraries that are used.”
There is a ray of hope that Schneier pointed to when it comes to knowing and taking inventory for what software contains. “For years, we’ve been trying something called a ‘software bill of materials,’” said Schneier. “Tell us what libraries are in your software. It has been proposed many times, and the industry basically always nukes it for orbit, because they do not want to do this. Finally, we just had an Executive Order coming out of President Biden’s administration mandating that for government software, which is just fantastic.”
