Tag Archives: NowSecure

Next-Generation DevSecOps for the Public Sector

Posted on by
Reply

The cyberthreat landscape is constantly shifting at a time when government agencies face a growing demand for digital services. Agencies can balance those competing priorities by embracing a methodology that speeds and strengthens every aspect of software development, including security. Known as DevSecOps, the methodology allows agencies to create, deploy and maintain apps that are targeted to users’ needs, easily updated and continuously monitored for security purposes. In a recent survey of FCW readers, 68% of respondents said the changing cybersecurity landscape is driving the adoption or evolution of DevSecOps at their agencies. With security concerns expanding at all levels of government, DevSecOps is a prerequisite for achieving digital transformation. Learn how your agency or municipality can adopt DevSecOps to balance to manage all aspects of developing and deploying secure, modern apps, they will build trust between the government and the people it serves, while also boosting employee engagement and productivity in Carahsoft’s Innovation in Government® report.

 

Accelerating Secure App Development for Low-Code SaaS Platforms

“Unlike traditional DevSecOps, a low-code DevSecOps platform offers a user-friendly experience through built-in security and governance controls that make it easy for nontechnical administrators to handle automated testing. Agencies can respond faster, achieve higher levels of software quality, deliver more digital services and scale to meet unprecedented demands — all while reducing the need for coding experience. Such platforms maximize the value of low-code/no-code software as a service and let agencies focus on and accelerate building experiences that drive citizen trust and engagement.”

Read more insights from Copado’s Senior Director of Product Line Management, Andrew Storms, and Radiant Infotech’s Director of the Salesforce Practice, Sarvinder Sandhu.

 

Automation: The Key to Secure App Development

IIG FCW DevSecOps July Blog Embedded Image 2022“Application software is front and center in the drive to provide high-quality services to citizens and organizational customers. That, in turn, is fueling the need for a different culture, method and tooling capability within agencies. Those realities are accelerating the adoption of DevOps, which helps organizations be agile in determining what to deliver, how to deliver it and then delivering it. The primary strategic benefit is a significant increase in change/transformation velocity. However, that velocity amplifies the opportunity for human errors that result in security vulnerabilities.”

Read more insights from CloudBees’ CISO, Prakash Sethuraman.

 

 Building Better Data Pipelines for DevSecOps

“Building data pipelines from scratch and managing all the integrations can take a significant amount of effort and time, perhaps as long as a year. By contrast, agencies can buy a product from a trusted partner and be up and running in days or weeks, with the added benefits of built-in observability tools and ongoing expert support. In digital transformation, there are no prizes for second place. All government agencies should have the ability to move forward quickly and securely to provide the apps and digital services their users need.”

Read more insights from Cribl’s Senior Director of Market Strategy, Nick Heudecker.

 

Achieving a More Secure Software Supply Chain

“There is a lack of transparency in how much open-source software is being used throughout the federal government. A disconnect between developers and security teams makes it difficult to rectify this. But in today’s world, understanding what’s in the supply chain is critical to national security. All government and contractor software developers need to think critically and not only ask themselves “does the code have vulnerabilities?” but “could it have vulnerabilities?” and “how do we know either way?” Developers can’t answer those questions if they don’t know what code they’re using, which is why software bills of materials are critical to managing any software supply chain. An SBOM is a comprehensive list of a given product’s software components, open-source licenses and dependencies. It offers valuable insight into the software supply chain and potential risks.”

Read more insights from Sonatype’s Vice President of Product Innovation, Stephen Magill.

 

 The Benefits of Automated, Risk-Based Testing

“Agencies must be able to quickly identify vulnerabilities and mitigate any risks in their applications. Adding static application security testing (SAST) and dynamic application security testing (DAST) to software development workflows can help. SAST, also called white box testing, involves scanning an application for security vulnerabilities before the code is compiled. Those vulnerabilities include SQL injection, cryptographic failures, security misconfigurations and others in the Open Web Application Security Project’s list of the top 10 security risks. DAST, also known as black box testing, is used to identify certain vulnerabilities while an application is running in a production environment.”

Read more insights from Tricentis’ Vice President of Public Sector, John Phillips.

 

Incorporating Security into Mobile Apps

“As a first step, agencies should require a software bill of materials (SBOM) for the mobile applications they build and the applications employees use on agency-issued mobile devices. Furthermore, a dynamic SBOM can show the geolocations of API and network connections, which can help agencies know when an application connects or shares data with foreign countries. Agencies should also embrace modern software development practices and incorporate continuous security testing into their mobile DevSecOps environments to identify issues and fix them in the fastest way possible. This complex process boils down to a few key strategies.”

Read more insights from NowSecure’s Vice President of Public Sector, Jeff Miller.

 

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

The Best of What’s New in Mobility

Posted on by
Reply

Many organizations have already invested significantly in projects that support mobility. The Center for Digital Government (CDG)’s 2021 Digital Cities and Digital Counties Surveys found that on average 85% of city respondents and 75% of county respondents are using location services, native mobile apps and text message/SMS channels. As organizations move forward with mobility, they should consider compute and storage capacity, end-to-end security, service design and delivery, and application rollout. Another important strategy is to have multiple options, so the organization can adjust to cost changes and inflationary pressures that could impact targeted business outcomes. Learn how your agency or municipality can move toward mobility in Carahsoft’s Innovation in Government® report.

 

Driving Innovation with Mobility

“It comes down to identity and Zero-Trust concepts. Strongly authenticating someone and having confidence in their identity is especially important as organizations work with sensitive or private information. Organizations need to consider how users move through sensitive data from a strong authentication and authorization standpoint. That brings us to Zero- Trust development models. How do you architect to create a safe landing space for people to come in and then traverse into legacy systems where critical information is stored? How do you set up safe, well-orchestrated and known boundaries, so employees and the public don’t have challenges when they try to access data? That’s critical in your systems.”

Read more insights from Red Hat’s Chief Architect and National Technology Adviser, Kevin Tunks.

 

Mobilizing Your Enterprise Securely

GovTech July Mobility Blog Embedded Image 2022“The first challenge is education — understanding what mobile app security means; what the risks are; and what tools, techniques and processes should be employed. The second challenge is determining whether to build the program internally or leverage third parties. Setting up your own program and building a security team to do things like continuous testing, penetration testing, security analysis and supply chain risk management is costly and complicated. Most agencies are turning to commercial off-the-shelf packages or managed service providers that scan and vet mobile apps. Doing so provides instant intelligence on what security risks might live in those mobile apps, so organizations can decide whether to allow them.”

Read more insights from NowSecure’s Chief Mobility Officer, Brian Reed.

 

Addressing Today’s Mobile Threats

“A lot of Zero-Trust conversations today revolve around validating identity and making sure that a person is who they purport to be. However, if their device has a malicious payload when they’re granted network access, then all we’ve really done is identify that they were the source of the attack. We believe that when you validate the person’s identity, you must simultaneously do device attestation to validate the integrity of their device. Only then should the person be granted access to that particular resource or infrastructure. You can’t say you have Zero Trust if you haven’t attested the device. The two go hand-in-hand.”

Read more insights from Zimperium’s Vice President for Public Sector, Jim Kovach.

 

Moving from Mobile-First to Mobile-Only

“Organizations must secure all devices that process enterprise data. It’s important to look past “industry standard” protections of yesterday and embrace newer technologies that employ AI and machine learning to provide smarter, quicker and lighter-weight ways of protecting assets. In addition, it’s best to implement mobile-first architectures, 5G (as well as the anticipated 6G release) and cloud architectures simultaneously with their non-mobile infrastructure counterparts. Non-negotiables include yearly penetration testing, programs to review and test third-party applications within agency environments, and securing mobile devices as strongly as desktops. It’s also wise to ensure the security posture of cloud environments is equivalent to on-premises environments. Of course, securing data in transit and at rest is essential. Finally, end-to-end security can’t take a back seat to appeasing users’ demands.”

Read more insights from the BlackBerry Sales Engineering team.

 

Download the full Innovation in Government® report for more insights from these mobility thought leaders and additional industry research from GovTech.

Federal News Network Expert Edition: DevSecOps

Posted on by
Reply

The trend across civilian and defense agencies when it comes to software development is clear. People and culture matter the most when changing the way an agency develops software. Even with reskilling and training employees, agencies still aren’t guaranteed success in using DevSecOps. Many agencies need to become more comfortable with automating the security controls as well as change the way these projects are funded. Hear from leaders at Air Force, Navy, Army, the Centers for Medicare and Medicaid Services, and National Geospatial-Intelligence Agency on how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers in the latest Federal News Network Expert Edition report.

 

Applying DevOps Principles to Achieve Software Supply Chain Security

“A recent survey sponsored by CloudBees showed that software supply chain security is top of mind for many senior executives right now. The problem is a general lack of clarity on what to do about it. A recent executive order from President Joe Biden’s administration charges several agencies, including the National Institute of Standards and Technology, with releasing guidance around this very issue. NIST’s preliminary guidelines were due in early November and not yet released at the time of this article.”

Read more insights from CloudBees’ CISO, Prakash Sethuraman.

 

5 Ingredients for Successful Mobile DevSecOps

“Applying DevSecOps principles to mobile app development is somewhat different from web. ‘If you think about a web application, it basically runs in any browser on any desktop or device in the world. So in terms of developing and testing it, you really just need to test it once or twice for one or two browsers. And in terms of coding, the browser and server provide a ton of security built in and easy for the developer to use,’ said Brian Reed, chief mobility officer at NowSecure. ‘For mobile apps, you have to choose iOS or Android. And if you do both, you have to write it twice, effectively. Unlike web browsers, to build apps for mobile devices, the developer has to understand how the mobile device and operating system works, how secure data storage works, how crypto works, how secure network communications works and a myriad of other security application programming interfaces (APIs).’”

Read more insights from NowSecure’s Chief Mobility Officer, Brian Reed.

 

Software Bill of Materials is the First Step to Improve Software Supply Chain Security

“A confluence of events, including the SolarWinds breach and the subsequent White House executive order on cybersecurity, has pushed software supply chain security center-stage for the federal government and the ecosystem of contractors that do business with it. It’s a top priority for many executives, but traditional notions of cybersecurity are proving inadequate to the current landscape, and the path forward isn’t always clear. So where do they start?”

Read more insights from Anchore’s Solutions Architect and Technical Lead, Jeremy Bryan.

 

4 Strategies to Overcome Obstacles in Adopting DevSecOps in Your Agency

“A recent survey conducted by Federal News Network in partnership with Atlassian revealed a large disconnect between IT and non-IT staff at federal agencies. Fewer than 10% of respondents said their business or mission area was heavily involved in setting project requirements for IT services. Two-thirds of respondents said they don’t get to comment on or review new technology capabilities during development or before they are launched. And 63% said collaboration within the agency was difficult.”

Read more insights from Atlassian’s Director of Technology for Public Sector, Ken Urban.

 

Download the full Federal News Network Expert Edition report for more insights on the future of DevSecOps from Carahsoft’s technology partners and leaders at Air Force, Navy, Army, the Centers for Medicare and Medicaid Services, and National Geospatial-Intelligence Agency.

The Ongoing Quest for Cybersecurity

Posted on by
Reply

 

Government agencies were already under pressure to modernize their cybersecurity strategies before the pandemic hit, and as workplaces closed and government employees struggled to access data and systems from makeshift home offices, the cybersecurity risks grew. The use of virtual private networks in the U.S. increased to match the early spike in COVID-19 cases, rising 124% in the two weeks from March 8 to March 22, 2020, according to Statista. Around the same time, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert titled “Enterprise VPN Security,” which offered both warnings and guidance on how to handle the surge in usage. With so many employees logging in remotely, agencies found that they had to shift their focus from securing a well-defined perimeter to securing the data that fuels government operations. In a recent survey of FCW readers, protecting data topped the list of cybersecurity priorities, with 75% of respondents citing it. In response to such concerns, CISA released its Ransomware Guide in September 2020. And in May, President Joe Biden mandated that agencies adopt zero trust in his Executive Order on Improving the Nation’s Cybersecurity, and the National Security Agency released a paper a few months ahead of that mandate titled “Embracing a Zero Trust Security Model.” Read the latest insights from industry thought leaders in Carahsoft’s Innovation in Government® report on cybersecurity.

 

The Future of Cybersecurity is Autonomous

“Analysts have too much atomic data and not enough context about that data. When they don’t have the full picture, they can’t take appropriate action. Re-creating each attack by hand takes painstaking care. And though analysts often relish this challenge, there’s simply not the time to do so for every presented case. Forward-thinking organizations are using artificial intelligence/machine learning (AI/ML) capabilities to fortify user endpoints and server workloads across an array of operating systems. These automations are designed to monitor the growing number of attack vectors in real time and present the full context of an attack in an easy-to-understand view that’s modeled after a kill chain.”

Read more insights from SentinelOne’s COO, Nick Warner.

 

Tailoring Zero Trust to Individual Users

“Zero trust is an important construct for helping agencies protect their infrastructure in today’s cybersecurity landscape. It focuses on accrediting individuals and their access to government resources. Agencies should make those decisions about access based on a comprehensive understanding of users. Security policies that treat all users as equally risky can be restrictive. Such policies set the bar high and hamper employees’ ability to work, or they set the bar low, which defeats the purpose of having security. Instead, agencies should evaluate users on an individual basis by taking the time to understand what employees do and how they do it — what’s normal behavior and what’s not. Then they can assess the risk of an individual based on that context.”

Read more insights from Forcepoint’s President of Global Governments and Critical Infrastructure, Sean Berg.

 

Modernizing Security for a Mobile Workforce

“Securing data and apps begins with positively identifying the user. In government, agencies have used multifactor authentication and all kinds of certificates, but those are simple pass/fail security checks. Once users are allowed to cross the security barrier, they often have wide-ranging access to government resources. This means adversaries and malicious (or careless) insiders passing the security checks receive free rein as well. Government needs to move to a continuous authentication model, which leads to better security and a better user experience. It involves seamlessly authenticating users every step of the way — when they touch the keyboard or scroll through an app on a screen. That activity, down to the microscopic vibrations in a person’s fingertip, can be sensed and understood so that IT administrators can answer the question: Is this really the authenticated user, or is it somebody else?”

Read more insights from BlackBerry’s Chief Evangelist, Brian Robison.

 

The Dangers that Lurk in Mobile Apps

“Government employees are increasingly reliant on mobile applications to do their jobs. But without formal monitoring programs in place, agencies might be unaware of the risks inherent in commercial and government-built apps. As a result, few agencies are investing resources and time to address a serious problem. The average mobile device has 60 to 80 apps, representing a huge potential for vulnerabilities at agencies whose employees are using those devices for work. Thousands of apps could be tracking employees or intercepting data. NowSecure founder Andrew Hoog has said mobile apps are the ultimate surveillance tool, given the mix of personal and mission activities in one space.”

Read more insights from NowSecure’s Chief Mobility Officer, Brian Reed.

 

Why Data is a Critical Cybersecurity Tool

“Once agencies have gathered their data in a scalable, flexible platform, they can apply artificial intelligence to derive insights from the data. AI speeds analysis and is particularly effective when agencies move from signature-based to behavior-based threat detection. A signature-based approach is good for detecting threats we already know about, but a behavior-based AI approach can adapt to new threats by looking for anomalies such as changes in the behavior of a server or endpoint device. AI also helps with investigations by reconstructing the sequence of events that happened during an intrusion, which fuels agencies’ ability to prevent future attacks. With AI, agencies can start to apply more sophisticated algorithms in their hunt for vulnerabilities and cyber threats.”

Read more insights from Cloudera’s Principal Solutions Engineer and Cybersecurity SME Lead, Carolyn Duby.

 

IIG FCW Cybersecurity Blog Embedded Image 2021Zero Trust Data Management Foils Ransomware Attacks

“Agencies must ensure recoverability because none of these protections matter if they can’t recover data and systems that run their critical missions and operations. Agencies need to gather and protect data at the edges of their networks, in their data centers and across different clouds. And regardless of where agencies decide to store that data, they need to be able to access it instantly. Recoverability service-level agreements of minutes and hours are possible and delivered today across the whole of government and the Defense Department. Gone are the days of weeks and months to get back online.”

Read more insights from Rubrik’s Public-Sector CTO, Jeffrey Phelan.

 

Reclaiming Control over Complex IT Environments

“When employees were sitting in a government office behind a firewall, IT administrators had a clearly defined perimeter to protect. Now IT administrators are still focused on protecting the agency’s mission and assets, but the responsibility has become more difficult because they’ve lost some visibility and control over the infrastructure. In response, many organizations are moving toward strategies based on zero trust, which requires validating users and devices before they connect to government systems, or least privilege, which involves only giving employees access to the resources and applications they need to perform their jobs. Zero trust and least privilege require continuous monitoring and a risk-based approach to adding or removing authorizations.”

Read more insights from SolarWind’s Group Vice President of Product, Brandon Shopp.

 

The Role of Authentication in Data Protection

“Users who need to access low-risk applications and data — for example, publicly available product information — can use an authentication method such as one-time password tokens. But if that same user wants to access higher-value data such as corporate finance records, the required level of authentication should increase, perhaps requiring public-key infrastructure (PKI) authentication with a smartcard. The key is to manage those activities via one pane of glass or one platform that supports the entire risk-based and continuous authentication process. In the past, we’ve been able to base decisions on where users are located — for example, whether they’re accessing data from within the network or remotely via VPN — but that is no longer enough. New technology tools enable agencies to gain a deeper understanding of users’ online behavior so they can make more informed decisions about authentication.”

Read more insights from Thales TCT’s Vice President of Product Management, Bill Becker.

 

Verification and Validation to Enhance Zero Trust

“Networking teams rely on standard configurations to maintain the security policy. These standard configurations dictate connectivity and traffic flows to ensure users can access appropriate resources while preventing unauthorized access. The idea of a standard configuration seems simple, but maintaining it is extremely difficult. Validating configurations is clearly mission critical, but monitoring and validating network behavior are even more telling and help ensure that policies are not inadvertently being circumvented and that there is no unintended connectivity.”

Read more insights from Forward Networks’s Technical Solutions Architect, Kevin Kuhls.

 

Extending Zero Trust Down to the File Level

“A software-defined perimeter integrates proven, standards-based security tools to create the ideal foundation for zero trust. When used together, those two approaches give agencies the granularity to customize their security protocols. For example, the IT team could allow USB mice but not USB thumb drives that can store data, and they could block potentially unwanted applications that anti-malware engines might not identify as malicious, such as bitcoin-mining or file-sharing apps. Zero trust is a mindset rather than a specific group of tools. The National Institute of Standards and Technology’s Special Publication 800-207 on zero trust architecture advocates taking a holistic approach to authenticating devices and users and extending that attitude to agency assets, services and workflows.”

Read more insights from OPSWAT’s Senior Director of Government Sales, Michael Hylton.

 

Download the full Innovation in Government® report for more insights from these government cybersecurity leaders and additional industry research from FCW.