The cyberthreat landscape is constantly shifting at a time when government agencies face a growing demand for digital services. Agencies can balance those competing priorities by embracing a methodology that speeds and strengthens every aspect of software development, including security. Known as DevSecOps, the methodology allows agencies to create, deploy and maintain apps that are targeted to users鈥 needs, easily updated and continuously monitored for security purposes. In a recent survey of FCW readers, 68% of respondents said the changing cybersecurity landscape is driving the adoption or evolution of DevSecOps at their agencies. With security concerns expanding at all levels of government, DevSecOps is a prerequisite for achieving digital transformation. Learn how your agency or municipality can adopt DevSecOps to balance to manage all aspects of developing and deploying secure, modern apps, they will build trust between the government and the people it serves, while also boosting employee engagement and productivity in 探花视频鈥檚 Innovation in Government庐 report.
Accelerating Secure App Development for Low-Code SaaS Platforms
鈥淯nlike traditional DevSecOps, a low-code DevSecOps platform offers a user-friendly experience through built-in security and governance controls that make it easy for nontechnical administrators to handle automated testing. Agencies can respond faster, achieve higher levels of software quality, deliver more digital services and scale to meet unprecedented demands 鈥 all while reducing the need for coding experience. Such platforms maximize the value of low-code/no-code software as a service and let agencies focus on and accelerate building experiences that drive citizen trust and engagement.鈥
Read more insights from Copado鈥檚 Senior Director of Product Line Management, Andrew Storms, and Radiant Infotech鈥檚 Director of the Salesforce Practice, Sarvinder Sandhu.
Automation: The Key to Secure App Development
鈥淎pplication software is front and center in the drive to provide high-quality services to citizens and organizational customers. That, in turn, is fueling the need for a different culture, method and tooling capability within agencies. Those realities are accelerating the adoption of DevOps, which helps organizations be agile in determining what to deliver, how to deliver it and then delivering it. The primary strategic benefit is a significant increase in change/transformation velocity. However, that velocity amplifies the opportunity for human errors that result in security vulnerabilities.鈥
Read more insights from CloudBees鈥 CISO, Prakash Sethuraman.
听
听Building Better Data Pipelines for DevSecOps
鈥淏uilding data pipelines from scratch and managing all the integrations can take a significant amount of effort and time, perhaps as long as a year. By contrast, agencies can buy a product from a trusted partner and be up and running in days or weeks, with the added benefits of built-in observability tools and ongoing expert support. In digital transformation, there are no prizes for second place. All government agencies should have the ability to move forward quickly and securely to provide the apps and digital services their users need.鈥
Read more insights from Cribl鈥檚 Senior Director of Market Strategy, Nick Heudecker.
Achieving a More Secure Software Supply Chain
鈥淭here is a lack of transparency in how much open-source software is being used throughout the federal government. A disconnect between developers and security teams makes it difficult to rectify this. But in today鈥檚 world, understanding what鈥檚 in the supply chain is critical to national security. All government and contractor software developers need to think critically and not only ask themselves 鈥渄oes the code have vulnerabilities?鈥 but 鈥渃ould it have vulnerabilities?鈥 and 鈥渉ow do we know either way?鈥 Developers can鈥檛 answer those questions if they don鈥檛 know what code they鈥檙e using, which is why software bills of materials are critical to managing any software supply chain. An SBOM is a comprehensive list of a given product鈥檚 software components, open-source licenses and dependencies. It offers valuable insight into the software supply chain and potential risks.鈥
Read more insights from Sonatype鈥檚 Vice President of Product Innovation, Stephen Magill.
听The Benefits of Automated, Risk-Based Testing
鈥淎gencies must be able to quickly identify vulnerabilities and mitigate any risks in their applications. Adding static application security testing (SAST) and dynamic application security testing (DAST) to software development workflows can help. SAST, also called white box testing, involves scanning an application for security vulnerabilities before the code is compiled. Those vulnerabilities include SQL injection, cryptographic failures, security misconfigurations and others in the Open Web Application Security Project鈥檚 list of the top 10 security risks. DAST, also known as black box testing, is used to identify certain vulnerabilities while an application is running in a production environment.鈥
Read more insights from Tricentis鈥 Vice President of Public Sector, John Phillips.
Incorporating Security into Mobile Apps
鈥淎s a first step, agencies should require a software bill of materials (SBOM) for the mobile applications they build and the applications employees use on agency-issued mobile devices. Furthermore, a dynamic SBOM can show the geolocations of API and network connections, which can help agencies know when an application connects or shares data with foreign countries. Agencies should also embrace modern software development practices and incorporate continuous security testing into their mobile DevSecOps environments to identify issues and fix them in the fastest way possible. This complex process boils down to a few key strategies.鈥
Read more insights from NowSecure鈥檚 Vice President of Public Sector, Jeff Miller.
Download the full Innovation in Government庐 report for more insights from DevSecOps thought leaders and additional industry research from FCW.
