Six Ways AST Keeps Digital Citizen Services Secure

Article originally posted to the GovDevSecOpsHub here.

When in-person processes became impossible during the pandemic, the extent to which public sector services relied on them became apparent. Town halls, municipal offices, schools, and colleges were forced to close their doors to the public, and the need to provide digital alternatives to citizen services so that constituents could continue to access them became clear.

As the health crisis abates, the goal of building resilience against future disruption of citizen services has public sector agencies accelerating digitization programs. As well as keeping public services up and running, there are several other drivers to digitize:

  • Building citizen trust: easy, convenient user access helps more people engage with key services. Doing so securely by safeguarding their personally identifiable information (PII) is imperative to build trust. In uncertain times, when state and local government is playing a key role in giving citizens advice and financial support, this trust is incredibly important for the safe functioning of society.
  • Cost savings: digitally delivered services are more cost-effective to run, requiring fewer human resources and reducing the need for physical municipal spaces.
  • Efficiency gains: by deploying more automation, agencies and educational institutions can increase efficiency and free up employee time to devote to higher-value activities.
  • Innovation and insight: digital citizen services enable the easy collection of large amounts of data about how such services are used by the population. Agencies can analyze this to better predict future demand and identify key improvements and innovation opportunities in public services.

These benefits are compelling, but achieving them also introduces a number of challenges to application performance and safety:

Citizen expectations driven by consumer experiences
The software developers building digital citizen services face a tough challenge. Their target market is the same customers that use Amazon and they expect the same seamless, intelligent, customer-centric experience in their citizen services as their consumer services. This means leveraging citizen data to personalize applications and share information between them, so the user has to do as little as possible in order to successfully engage with the service.

Sadly, public sector budgets are nowhere near the same scale as those of major retailers, meaning software developer teams are trying to replicate the same experience with limited resources.

Digitization introduces more risk
On top of the pressure of customer expectations are the increased security risks introduced when in-person processes move online. Many public sector services are highly confidential and might formerly have been conducted through a one-to-one conversation in a private office, but are now transacted through a public-facing website. This is a prime target for hackers looking to steal high-value PII such as social security numbers and passport details that users provide to confirm their identity.

Ensuring robust identity management and protecting citizens’ personal data is a critical challenge developer teams must address by making sure the software they build is secure. Because, if their data is compromised when they engage with government services, users won’t trust them, and all the potential advantages of digital services could be lost.

Consequently, developer teams are under huge pressure to achieve a lot with limited resources. Security and functionality are often competing priorities and the clock is always ticking, tempting teams to push fixes closer to delivery deadlines and creating technical debt. That debt has to be repaid one way or another, whether through stressed-out software developers rushing to implement last-minute fixes or with vulnerabilities being pushed to production and potentially putting systems and data at risk.

Public sector regulators try to avoid this and safeguard public services by mandating code scanning requirements. These derive from sector-specific regulations such as HIPAA, and alignment to standards from NIST, OWASP Top 10, SANS Top 25, and PCI-DSS, among others.

Ensuring compliance with these regulations puts a burden on developers and adds to the pressure they face.

Application security testing helps secure digital citizen services at aace
Application security testing helps public sector agencies meet their obligation to protect citizen data without increasing developer stress. In fact, AST solutions – such as those offered by Checkmarx – can be readily applied to the current development process to deliver a number of benefits:

Integration into preferred IDEs: developers do not need to change or interrupt their workflows, but receive scan results back into their customary IDE, together with information on best-fix locations for identified vulnerabilities. 

  • Automation: by automatically initiating code scans at key points during the development cycle, the burden on developers is lifted and security becomes intrinsic to coding. This applies to both proprietary code and open source libraries, resulting in more secure applications.
  • Easier adoption: it is an intuitive solution more readily adopted by developers because it delivers results without impeding their preferred way of working.
  • Reduces the accumulation of technical debt: by scanning for vulnerabilities earlier in the SDLC they are identified sooner, when they are easier and less time-consuming to fix. This reduces technical debt and eases pressure on production deadlines.
  • Improves compliance: AST solutions like those offered by Checkmarx provide out-of-the-box compliance with the key standards mentioned above, as well as supporting advanced custom queries that can be tailored for specific use cases.
  • Offers secure coding education: Training solutions, such as Checkmarx Codebashing allows teams to learn-as-they-go, with bite-size on-demand sessions that relate to the actual challenges they are facing in their code. Agencies get more from their existing development teams without having to commit limited time or large training budgets to the issue.

In combination, the features above help developer teams raise application security standards to the right level, without disrupting delivery schedules.

Striking a balance between service personalization and security
Getting application security testing right in terms of speed and rigor is fundamental to the successful digitization of public services. The amount of PII involved in personalizing services to recipients creates a considerable risk if it is not robustly protected at the application level. Application security must be a priority throughout the development lifecycle in order to strike the balance between user experience and data security.

To achieve the level of assurance needed to ensure public confidence in digital services, Public Sector agencies should incorporate application security testing fully into their SDLC. By integrating and automating AST, agencies can realize the benefits of digital government, while minimizing the risks.