By Anthony Bettini, CTO, WhiteHat Security
According to IDG, 89% of companies have recently adopted a digital-first business strategy or plan to do so. As part of this pattern, the government sector is increasingly relying on web-based applications and digitized forms–think the DMV, passport renewal, property tax payments, toll bill payments, election voting applications, and more processed over the internet for both agency and citizen convenience.
By having forms and payments easy to complete online, this makes everyone’s lives easier by speeding up, simplifying, and storing information in databases. The modernization of these processes has not only made government and political involvement arguably more accessible, it also reduces the likelihood of human error or misconduct.
Although these applications have been proven to make the public sector more effective and efficient, they raise just as many concerns— some of which are integrity-related and many of which are cybersecurity-related. The public sector handles high-stakes events like elections and sensitive personal information, such as full names, addresses, social security numbers, financial details and more, which could easily be left vulnerable without proper cybersecurity measures in place.
Recent government-driven, technology-related incidents include but are not limited to: 1) this year’s Iowa caucus in the United States, where coding and testing errors in the voting application delayed election vote counting and fomented doubt in the results and 2) the breach at the Defense Information Systems Agency (DISA), which put nearly 9,000 government employees’ personally identifiable information (PII) at risk.
With government-related websites and applications becoming prominent targets for cybersecurity attacks, many are fearful that their data is not properly protected. This attention should push development teams and organizations to ask themselves: As these web and mobile applications are being produced and implemented, how are they being tested– and are cybersecurity best practices being put into place?
How can this be avoided?
With a pivotal election year underway, all eyes are on the cybersecurity of the voting software, especially in light of reported interference in the last presidential election. As past voting breaches are being assessed, many are wondering if there was a way that these attacks could have been avoided. With healthier software development practices, modernizing government processes does not have to be a nightmare.
Working as a team is an efficient way to improve software development to push for increased security. One way to put this into effect is to implement a DevSecOps approach, which combines security into the DevOps process. This helps find and prevent vulnerabilities and other concerns earlier on in the process and better equips teams to make the necessary preparations and protections against potential breaches. By shifting security left and introducing security earlier in the development process, security professionals and engineers work in tandem to produce a more holistic and secure application.
Although identifying the need to work with a team is important, a great starting point for breach avoidance is appropriate planning and testing of the application with security as a focal point. Having a remediation plan and defined process prepared before a vulnerability is uncovered, quickens the process to correct it. After planning for potential vulnerabilities, a good practice is to perform penetration testing, which ensures that your plan is effective and highlights any cyberthreats.
Application security is becoming more important, not only because it protects companies from reputation damage, but also because as more processes are quickly becoming digital, more personal data is being put at risk without it. According to WhiteHat Security’s 2019 Application Security Statistics Report, when 350 Android applications were analyzed, 70 percent leaked personally identifiable information.
If vulnerability testing is not prioritized throughout the development process, there could be ramifications, including extended timelines and increased expenses. In an ever-changing security field, automated testing platforms are beneficial because they keep developers akin to miscellaneous security flaws that may arise after the application is deployed.
Every year there is a positive trend of people using the internet and mobile devices, showing that more everyday activities may be made available digitally. Disenfranchised groups, including people with disabilities, are now able to participate in civic activities with little to no additional stress because of the increased accessibility from applications.
Although the modernizing of these processes has improved the quality of life for the public, and may add an extra layer of security from direct human tampering, the threat of application vulnerabilities is more prevalent. Once cybersecurity is prioritized while developing government applications, the move to computerized civic processes can live up to its potential.
About the Author
Anthony Bettini is the Chief Technology Officer for WhiteHat Security. Previously, Anthony ran Tenable Research where he joined via Tenable’s acquisition of FlawCheck – a leading Container Security startup where Anthony was the Founder and CEO. Before FlawCheck and Tenable, Anthony was the Founder and CEO of Appthority, a leading Mobile Security startup, and winner of the “Most Innovative Company of the Year” award at the RSA Conference. Anthony led Appthority to a successful acquisition by Symantec in 2018. At WhiteHat, Anthony leads product management and development, engineering, and threat research.