As software and applications grow in the public sector, application security is driving cybersecurity and is increasingly important to secure workloads. In a recent discussion on GovDevSecOps Hub, Kurt Risley from Checkmarx discusses the role application security will play in the government and the solutions it will provide to cybersecurity.
Software and applications are playing an increasingly essential role across the federal government. Software applications empower employee productivity in government offices. Software powers today’s advanced weapons systems and platforms in the military. And software is driving the digital transformation of government systems and processes intended to expedite and improve the delivery of citizen services.
Unfortunately, vulnerabilities in software and applications remain one of the most exploited pathways for malicious actors to compromise government networks and data. And the developers that are responsible for creating the software are often less trained and skilled in the ways of cybersecurity than necessary for ensuring safe and secure applications.
New application security (AppSec) training tools, including simulation solutions, could hold the key to developers creating more secure software across the public sector. However, as Kurt Risley expertly explained during a recent AppSec conversation with the GovDevSecOps team, these solutions are only effective when coupled with executive buy-in and agency-wide cultural change that makes AppSec a key mission within the organization.
During our conversation with Kurt, we discussed why AppSec is so important today, why simulation is an essential tool in AppSec training, and what agencies must do to make their applications more secure. Here is what he had to say:
GovDevSecOpsHub (GDSOH): Why is cybersecurity training for application developers so important today? What is the end result of application developers that are untrained in AppSec?
Kurt Risley: According to Verizon, almost 70 percent of the data breaches they investigated in 2019 resulted from exploits of vulnerabilities in public-facing web applications. And the Institute for Critical Infrastructure Technology (ICIT) has established that software with defects are often the systems with the exploitable vulnerabilities that hackers compromise.
Keeping up with the constantly evolving and shifting threat landscape is difficult enough. When facing today’s incredibly sophisticated cyberthreats, government organizations simply can’t afford to have software with massive, exploitable defects in it.
Unfortunately, surveys of application and software developers show that approximately seven out of ten claim to lack the necessary AppSec training to adequately secure the software they develop.
GDSOH: How do we solve that? What are some of the most effective methods for training these seven out of ten developers in AppSec?
Kurt Risley: While there is clearly no “one-size-fits-all” tool for teaching people about AppSec, recent research and reports authored by Dr. Michael Workman from Texas A&M University demonstrate that implementing a gamified or simulation-based education solution can help developers and cyber warriors immensely.
In his research, Dr. Workman saw massive improvements in student test scores by combining traditional classroom instruction and labs with a combination of live activities – such as hackathons and capture the flag competitions – and simulation. Testing various combinations of these tools illustrated that the simulation was one of the largest factors driving that improvement.
GDSOH: If AppSec is so important, and simulation is so effective, what’s keeping us from using simulation to ensure that cybersecurity best practices are being taught to all application developers??
Kurt Risley: I think the big challenge for students or people looking for AppSec training tools is that there’s typically a cost to use a simulation solution. Many colleges and universities may look to avoid the additional cost of making a simulation solution available to their students – especially future application developers that may not think of cybersecurity as central or essential to their skill set.
To help overcome this, some of the companies that offer these simulation solutions are trying to make them available for college and university students at no or reduced costs. For example, here at Checkmarx, we’re working to make these solutions available to students by providing their professors with a long term evaluation or complimentary use of our Codebashing solution as part of the course curriculum.
GDSOH: With the emergence of DevSecOps, we’re seeing security become more “baked in” in the application and software development process. What is driving this change and how is the need to shift security left changing what we teach and how we teach the application and software development teams?
Kurt Risley: Today, security is on the minds of everyone from the board of directors and throughout the entire organization. With the cost of breaches skyrocketing, it’s becoming more cost effective for these organizations to invest in tools and provide AppSec training for their employees in advance. This has led to a renewed focus on building security into applications early and testing during the development process to ensure applications are secure.
Many organizations have or are implementing a formal application security awareness program within the organization. The biggest obstacle is the culture, but this is easily addressed with leadership buy-in, coupled with an effective adoption strategy.
GDSOH: The public sector is obviously a major cyber risk. Federal agencies face attacks from nation-states. Education institutions and state agencies get targeted by a wide range of malicious actors who view them as easy targets. What do these organizations have to do to ensure that their entire IT organization is prepared and ready to defend their networks and applications?
Kurt Risley: First and foremost, there has to be a shift in how organizations educate their application developers. There also needs to be a cultural shift to ensure that AppSec becomes a key mission across the entire organization.
Make cybersecurity a priority. Educate developers and other IT professionals early on in the process. Instill good cyber hygiene and habits, continue to assess the skills of employees and train based on the results of those assessments. Make AppSec education mandatory and a priority. These things are all increasingly essential in today’s government agencies and organizations.
This article was originally published on GovDevSecOps Hub on October 21, 2020