The cyberthreat landscape is constantly shifting at a time when government agencies face a growing demand for digital services. Agencies can balance those competing priorities by embracing a methodology that speeds and strengthens every aspect of software development, including security. Known as DevSecOps, the methodology allows agencies to create, deploy and maintain apps that are targeted to users’ needs, easily updated and continuously monitored for security purposes. In a recent survey of FCW readers, 68% of respondents said the changing cybersecurity landscape is driving the adoption or evolution of DevSecOps at their agencies. With security concerns expanding at all levels of government, DevSecOps is a prerequisite for achieving digital transformation. Learn how your agency or municipality can adopt DevSecOps to balance to manage all aspects of developing and deploying secure, modern apps, they will build trust between the government and the people it serves, while also boosting employee engagement and productivity in Carahsoft’s Innovation in Government® report.
Accelerating Secure App Development for Low-Code SaaS Platforms
“Unlike traditional DevSecOps, a low-code DevSecOps platform offers a user-friendly experience through built-in security and governance controls that make it easy for nontechnical administrators to handle automated testing. Agencies can respond faster, achieve higher levels of software quality, deliver more digital services and scale to meet unprecedented demands — all while reducing the need for coding experience. Such platforms maximize the value of low-code/no-code software as a service and let agencies focus on and accelerate building experiences that drive citizen trust and engagement.”
Read more insights from Copado’s Senior Director of Product Line Management, Andrew Storms, and Radiant Infotech’s Director of the Salesforce Practice, Sarvinder Sandhu.
Automation: The Key to Secure App Development
“Application software is front and center in the drive to provide high-quality services to citizens and organizational customers. That, in turn, is fueling the need for a different culture, method and tooling capability within agencies. Those realities are accelerating the adoption of DevOps, which helps organizations be agile in determining what to deliver, how to deliver it and then delivering it. The primary strategic benefit is a significant increase in change/transformation velocity. However, that velocity amplifies the opportunity for human errors that result in security vulnerabilities.”
Read more insights from CloudBees’ CISO, Prakash Sethuraman.
Building Better Data Pipelines for DevSecOps
“Building data pipelines from scratch and managing all the integrations can take a significant amount of effort and time, perhaps as long as a year. By contrast, agencies can buy a product from a trusted partner and be up and running in days or weeks, with the added benefits of built-in observability tools and ongoing expert support. In digital transformation, there are no prizes for second place. All government agencies should have the ability to move forward quickly and securely to provide the apps and digital services their users need.”
Read more insights from Cribl’s Senior Director of Market Strategy, Nick Heudecker.
Achieving a More Secure Software Supply Chain
“There is a lack of transparency in how much open-source software is being used throughout the federal government. A disconnect between developers and security teams makes it difficult to rectify this. But in today’s world, understanding what’s in the supply chain is critical to national security. All government and contractor software developers need to think critically and not only ask themselves “does the code have vulnerabilities?” but “could it have vulnerabilities?” and “how do we know either way?” Developers can’t answer those questions if they don’t know what code they’re using, which is why software bills of materials are critical to managing any software supply chain. An SBOM is a comprehensive list of a given product’s software components, open-source licenses and dependencies. It offers valuable insight into the software supply chain and potential risks.”
Read more insights from Sonatype’s Vice President of Product Innovation, Stephen Magill.
The Benefits of Automated, Risk-Based Testing
“Agencies must be able to quickly identify vulnerabilities and mitigate any risks in their applications. Adding static application security testing (SAST) and dynamic application security testing (DAST) to software development workflows can help. SAST, also called white box testing, involves scanning an application for security vulnerabilities before the code is compiled. Those vulnerabilities include SQL injection, cryptographic failures, security misconfigurations and others in the Open Web Application Security Project’s list of the top 10 security risks. DAST, also known as black box testing, is used to identify certain vulnerabilities while an application is running in a production environment.”
Read more insights from Tricentis’ Vice President of Public Sector, John Phillips.
Incorporating Security into Mobile Apps
“As a first step, agencies should require a software bill of materials (SBOM) for the mobile applications they build and the applications employees use on agency-issued mobile devices. Furthermore, a dynamic SBOM can show the geolocations of API and network connections, which can help agencies know when an application connects or shares data with foreign countries. Agencies should also embrace modern software development practices and incorporate continuous security testing into their mobile DevSecOps environments to identify issues and fix them in the fastest way possible. This complex process boils down to a few key strategies.”
Read more insights from NowSecure’s Vice President of Public Sector, Jeff Miller.
Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.