Cybersecurity Executive Order Get-Started Guide: Application security
May 21, 2021
The new cybersecurity Executive Order (EO) is a bold and important step that will require organizations to build-in security when creating software. Verizon’s 2021 Data Breach Investigations Report showed that web applications were involved in nearly half of security breaches, and as such we believe the EO is overdue and necessary. We applaud its intentions and reach.
The EO will require a lot of work from software suppliers, including providing more proof of security throughout the development lifecycle. But this is also an opportunity. The EO is a call to action for software suppliers to significantly improve their maturity in cloud, zero trust, multi-factor authentication, incident tracking, reporting and testing. The companies that get it right will likely establish a competitive differentiator while helping organizations in every part of the supply chain improve resilience.
<<< Start >>>
<<< End >>>
Many organizations we work with are already operating with an application security framework. This is a good start, but it will only get them part of the way. The next step is to effectively apply and scale that framework. The most recommended way to do this in a fast and efficient manner that can help meet or exceed the EO's standards, is to partner with an organization with the right experience, tools, capabilities and accelerators. Such a partner should be able to show it has helped companies enhance security across people, processes and technology throughout development, end to end.
Accenture's experience shows that this 'shifting left' approach can help provide:
Let's take this one requirement at a time.
First, the order seeks to ensure that application development is secure from beginning to end.
The order also strengthens data encryption and data protection.
The EO also calls for more source code testing, including static code scanning, dynamic composition analysis and penetration testing—including home-grown and third-party software.
The order encourages modernization and adoption of secure cloud services and third-party software.
While the security benefits of the EO and our approach are clear, we also believe tangible business benefits will follow. This includes:
Increased speed and scale: Clients are expected to develop and release applications faster, thanks to automated scans, rapid triage of critical issues and automatically generated reporting—all with optional hands-on program support.
More rigorous application scanning: Our scanning platform has reduced false positive vulnerabilities by 47%. In addition, our orchestrated platform is capable of scaling scans and triage with our patented IQ guidelines, increasing accuracy by up to 93%.
Automated vulnerability remediation: Our technology can auto-generate remediation code for vulnerabilities found during scanning, automatically fixing Java issues 65% of the time, for example.
For more information, please contact our Security leadership team.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.
Copyright © 2021 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.