The new cybersecurity Executive Order (EO) is a bold and important step that will require organizations to build-in security when creating software. Verizon’s 2021 Data Breach Investigations Report showed that web applications were involved in nearly half of security breaches, and as such we believe the EO is overdue and necessary. We applaud its intentions and reach.

It won't be easy—but it will be rewarding

The EO will require a lot of work from software suppliers, including providing more proof of security throughout the development lifecycle. But this is also an opportunity. The EO is a call to action for software suppliers to significantly improve their maturity in cloud, zero trust, multi-factor authentication, incident tracking, reporting and testing. The companies that get it right will likely establish a competitive differentiator while helping organizations in every part of the supply chain improve resilience.

<<< Start >>>



 

<<< End >>>

The big question: How to meet the EO's goals?

Many organizations we work with are already operating with an application security framework. This is a good start, but it will only get them part of the way. The next step is to effectively apply and scale that framework. The most recommended way to do this in a fast and efficient manner that can help meet or exceed the EO's standards, is to partner with an organization with the right experience, tools, capabilities and accelerators. Such a partner should be able to show it has helped companies enhance security across people, processes and technology throughout development, end to end.

The good news: Significant business benefits await

Accenture's experience shows that this 'shifting left' approach can help provide:

  • 70% reductions in build costs.
  • 30x less remediation cost.
  • 3x faster build speeds, compared to legacy methodologies.
  • 50% average time reduction to go-live.
  • 40% reduction in run operation costs vs. legacy.
How Accenture's application security solution can help companies comply with the EO

Let's take this one requirement at a time.

First, the order seeks to ensure that application development is secure from beginning to end.

  • This concept is not new to Accenture. A longtime leader in DevSecOps transformation, we have more than 10 years' experience helping organizations create and embed secure code repositories, scanning capabilities, vulnerability testing and composition analysis.
  • In order to truly shift left and incorporate security requirements into the User stories, we built a capability to generate security stories based on the scan results, enabling developers to secure their code as they develop it.

The order also strengthens data encryption and data protection.

  • Accenture’s data protection capabilities focus on encrypting and securing the data companies know about and the data they don't know about: their unsecured data. Accenture does this by helping companies proactively find and eliminate unsecured data at rest, in transit and in use. This significantly reduces customer and organizational risk while improving compliance.

The EO also calls for more source code testing, including static code scanning, dynamic composition analysis and penetration testing—including home-grown and third-party software.

  • Accenture’s Intelligent Application Security Platform dramatically scales dynamic application security testing (DAST), software composition analysis (SCA) and static application security testing (SAST), while significantly reducing the costs in delivering these services. The platform supercharges application security by scanning thousands  of applications, eliminating false positives using our AI models and integrating with platforms that provide intelligence around vulnerability and bug tracking. It also provides faster remediation/mitigation support.
  • To further strengthen testing, Accenture employs more than 500 people in North America, Europe and Asia to provide hacker-inspired penetration testing. This service, which can be tailored to organizations and their specific industry, helps identify critical threats early and often.

The order encourages modernization and adoption of secure cloud services and third-party software.

  • Accenture is also a longtime leader in helping organizations digitally transform and migrate to cloud, thanks to our Journey to Cloud capabilities. We have helped many companies securely transition from on-prem to cloud, specifically focusing on application security in APIs, containers and microservices.
  • We also help companies reduce third-party risk through software composition analysis, which identifies and eliminates outdated, insecure libraries.

While the security benefits of the EO and our approach are clear, we also believe tangible business benefits will follow. This includes:

Increased speed and scale:
Clients are expected to develop and release applications faster, thanks to automated scans, rapid triage of critical issues and automatically generated reporting—all with optional hands-on program support.

More rigorous application scanning: Our scanning platform has reduced false positive vulnerabilities by 47%. In addition, our orchestrated platform is capable of scaling scans and triage with our patented IQ guidelines, increasing accuracy by up to 93%. 

Automated vulnerability remediation: Our technology can auto-generate remediation code for vulnerabilities found during scanning, automatically fixing Java issues 65% of the time, for example.

For more information, please contact our Security leadership team.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2021 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.

 

Ganesh Devarajan

Managing Director – Accenture Security, Global Application Security Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog