Faced with thousands of applications in complex environments to manage, a global skill-shortage of application security professionals, and budget constraints – all the while continuing to be one of the top verticals targeted by cyber criminals globally – it is clear that government security leadership is not for the faint of heart.
In this article, we explore the challenges security and risk leaders in state and local governments face when it comes to application security, and strategies similar organizations have to mitigate risk.
Keeping up with patching
Whilst applying patches is a hygiene security task, it’s not always easy to do in practice, considering:
- Compatibility of the application stack with component patching is not guaranteed;
- Upgrading one component may result in fixing security issues whilst breaking functionality;
- Testing is imperative, requiring resource scheduling;
- Findings need to be addressed by developers; and
- Fleet rollout needs to be scheduled.
Further, commercially supported applications may have version restrictions. In this case, upgrading a component would void the support agreement.
According to Veracode, 80% of applications managed by government entities have flaws – and the median time to fix these flaws is 233 days.
Considering that in 2019, Kenna Security found 50% of vulnerabilities had exploits available within two weeks of publication, that’s concerning! In 2020, that two weeks became one day. Within a month, 75% of exploits were weaponized.
So to keep up with the speed of war, organizations must analyze whether they are vulnerable to a newly published CVE, then develop and deploy patches – all in a single day. With 50+ CVEs published every day, the race starts again tomorrow.
Fixing flaws with no CVE
For vulnerabilities in custom or third-party-managed code, here there is no CVE, it takes organizations an average of 4-6 months to fix critical and high rated vulnerabilities. Almost half of all critical and high-rated vulnerabilities are never fixed.
From the CISO’s perspective
Solomon Adote, Chief Security Officer at the State of Delaware notes that “as an
organization, we’re pushed to patch very rapidly”, with patches often being deployed within 24 hours. However, when it comes to the complex environment the State operates in, it isn’t always that easy.
Digital trust – or citizen trust in the government context – is everything, says Todd Waskelis.
“Trust is critical for government entities to drive their digital strategy forward. Recovering from a breach in digital trust can be very difficult, so it’s critical that you focus on application security – it’s got to be at the top of your list.”
Todd Waskelis, AVP Cyber Security, AT&T
Being responsible for managing the risk of thousands of applications becomes increasingly complex when you consider state governments’ unique challenges.
Long budget cycles
With budget cycles commonly taking 12 - 18 months, state government risk and security leaders struggle to get funding to update or replace vulnerable applications. Limited state budgets make weighing up bids difficult for state government leaders. “When you are having to choose between funding police vests or rebuilding an application, what do you choose?”
Adote highlights that these applications perform critical functions – facilitating
unemployment applications, voter registrations, and income tax filings to name a few. “That application that has vulnerabilities cannot be shut down but it cannot be replaced tomorrow.”
His advice? “You definitely have to buy yourself time… whether it's an application that you can continue to leverage while mitigating the risk that you have, you have to have that in your back pocket.”
Legacy applications
Legacy applications proliferate in state and local government – perhaps more so than any other sector.
Continuing to leverage legacy systems comes with a cost; outdated languages or
unsupported versions make it harder to find (and more expensive to pay) developers with the right skills to address the issues that are inevitably uncovered.
The pandemic put these systems to the test. Many legacy applications struggled with the dramatic uptick in traffic as citizens went online to find information about COVID-19 restrictions, track their movements for contact tracing purposes, and perform day-to-day tasks such as filing tax returns.
State and local government IT teams are the unsung heroes of the COVID response, playing an essential role by rapidly delivering critical applications. The State of Delaware saw an exponential increase in unemployment applications – from 2,000 per week to 60,000 per day. The State’s development and security teams worked around the clock to ensure citizens could access the money they needed to live.
With the rapid cloud consumption during 2020, the modernization of legacy systems has accelerated. However, migrating legacy systems to the cloud doesn’t make vulnerabilities disappear. “Security of the cloud”, protecting and ensuring availability of the cloud infrastructure, falls with the cloud service provider, but “security in the cloud” sits firmly with the application owner, who remains responsible for mitigating the application security risk.
Application ownership
Of the thousands of applications within the state CISO’s remit, many are managed by partner agencies or their vendors. Without having access to the source code, discovering vulnerabilities is difficult – and rapid remediation is almost out of the question. To make changes to these applications, multiple layers of approvals are often required, further slowing down the remediation process.
Advocating for partner agencies to implement and maintain best practice security controls is important, but the onus remains with the state security leader to mitigate risk from the top down.
To address third-party risk, the State of Delaware has “the ability to throw [their]
protections in front of a third-party vendor”. “I get to see all the traffic that interfaces with my application even if I don’t host it, and then I scan every week so I know exactly the state of the application, I can proactively reach out and [ask].. What’s your strategy, when will this be patched? And then they can provide feedback.”
Another strategy for state security leaders to gain risk visibility in their ecosystem is to create a purchase agreement with their trusted cyber security providers. Todd Waskelis, AVP at AT&T, has worked with a state to “build an entire infrastructure that has a blanket contract that all of the local agencies can buy off...and be able to do that transactionally”.
This is a win-win, providing the local agencies with a fast, easy way to purchase cyber security products and services, and the state to “drive some of their security initiatives and directives”.
Buying time
To avoid falling into the all-too-common habit of risk-acceptance, you need a way to remediate the risk of vulnerabilities discovered in your applications while working through the change management process.
Security tools that provide alerts and reports are useful, but you still have people in your team with the skills to operate these tools and resolve issues. “What you need is a strategic partner that buys you time and augments your team. You want a service [where] they can provide guidance and they can mitigate, they can provide temporary relief to buy your team time.”
The key strategy the State of Delaware uses is application shielding, which remediates exploitable flaws in either bespoke code or undeployed vulnerabilities discovered in owned or third-party applications, buying the State time to push patches out.
“[Application Shielding is] how we stay alive until we get some influx of funding to make a major change, major investment, or a technology transition.”
Solomon Adote, CSO, State of Delaware
Watch the 'Risk, resourcing, and legacy applications' webinar
Expanding on the points covered by this article, this 50-minute discussion explores the innovative techniques state and local governments can take to improve their application security.
Panelists
- Solomon Adote, CSO, State of Delaware
- Todd Waskelis, AVP Cyber Security, AT&T
- Ed Amoroso, CEO, TAG Cyber
- Kim Bilderback, VP Americas, RedShield (moderator)