In a recent survey from MeriTalk and Invicti, 91 percent of 100 state and local government IT decision-makers said their organization’s pace of cybersecurity improvements increased over the past year. They have good reasons for accelerating change.
At this time last year, public reports showed more than 400 ransomware attacks had hit city and county governments in the United States since 2016, according to a Washington Post analysis. That’s just one example. Bad actors continue to evolve their techniques and the digital landscape continues to expand, creating fresh potential for both increasing numbers and increasing severity of cyberattacks.
However, many state and local governments lack cybersecurity direction, the State of the State survey found. Seventy-five percent of respondents said their organization understands the overall cyber objective, but not the steps needed to achieve it.
While cybersecurity is a multipronged endeavor spanning networks, data, devices, identity, and more, applications are a good place to start. They are typically the most exposed parts of information systems and may provide an entry point for data breaches and internal network infiltration. State and local organizations operate a multitude of web-based digital services, so they can be substantially impacted by web app vulnerabilities.
In a previous Invicti/MeriTalk study, 86 percent of government agency respondents said they had experienced a breach originating in a web application in the past year. Some 62 percent saw delays in project deployment due to application security concerns, 45 percent had experienced data loss, and 51 percent had experienced downtime due to a web application vulnerability.
Web application security challenges are likely to increase. Gartner estimates that by 2023, 90 percent of web-enabled applications will have more surface area for attack (in the form of exposed application programming interfaces) than user interfaces – compared to 50 percent in 2020. According to Verizon’s 2022 Data Breach Investigations Report, applications are already the largest attack vector. Seventy percent of all incidents and 40 percent of all breaches stem from attacks on web applications, Verizon found. The good news: 88 percent of respondents in the State of the State survey agreed that application security is vital to reducing the overall attack surface within their organization.
Traditional AppSec Lags Behind IT Modernization
Unfortunately, legacy application security approaches have not kept pace with technical developments such as the widespread use of application programming interfaces. As a result, government IT shops are struggling to reconcile multiple testing tools and processes to cover all aspects of application security – or they are addressing some aspects and overlooking others.
At the same time, state and local governments are modernizing systems to meet citizen-service demands. They are employing modern software development practices to increase the speed and volume of software releases, but those practices are in direct conflict with legacy security methods that require the security team to interrupt developer workflows to check code or insert processes periodically. In the race to innovation, security may be left in the dust.
AppSec Can Be Integrated into Development and Production
It doesn’t have to be that way. Threat protections can be integrated so that developers receive alerts to fix security issues directly in their workflows, which means security is no longer an add-on or an obstacle to application development.
With security embedded into the very architecture of applications, it is easier to make testing a core aspect of the development and deployment process – including regular automated scans for applications in production. This approach integrates continuous and dynamic application health and security monitoring, along with granular testing policies and reporting.
Dynamic application security testing, or DAST, helps developers and security professionals find and fix runtime web application vulnerabilities. DAST probes the actual attack surface of the app as attackers see it, revealing potential problems.
Many state and local governments are already benefiting from this approach; 45 percent of respondents in the recent State of the State survey indicated they were integrating DAST. In the earlier Invicti/MeriTalk survey, 80 percent of respondents said an automated, iterative approach like DAST would allow their agency to secure the majority of their software development lifecycle; respondents who implemented DAST had started already seeing “significant security improvement.”
Adding interactive application security testing (IAST) into the core DAST scan can also provide deeper insights into issues and help identify and test local assets that crawlers cannot see, while software composition analysis (SCA) lets agencies efficiently vet open-source components before deploying new apps.
Integrated, efficient, and cost-effective application security is possible for every application, not just mission-critical apps. Because attackers will look for any way in, simple coding mistakes on a little-used app can be just as damaging as a flaw in an enterprise-wide financial application, for example. Successful prioritization of application security will result in more secure software development life cycles, a culture of continuous improvement, and stronger security practices throughout state and local government organizations.