It's time to demand security by design

If you're not infusing security practices into your development efforts from the early states, you are setting the stage for a risky and potentially devastating outcome. One where you lose valuable time and money, and expose your organization to security risk.

In our Cyber Moonshot paper we identified Security by Design as one of five essential elements of achieving cyber resilience: Security must be engineered into the core of every system from the start.

Adopt a DevSecOps approach

Over the past several years, DevOps has gained in popularity as a proven way to bridge the gap between developing and operationalizing applications. DevOps is an enabler that delivers automation, repeatability, agility and speed across the entire lifecycle.

Now, with DevOps in its mature state, Federal agencies have the momentum to embed security into the approach, creating a new DevSecOps model that transforms security into another enabler for the business.

Embracing DevSecOps allows Federal agencies to:

  • Drive agile development
  • Bring all stakeholders to a high level of security understanding in a short period of time
  • Ensure security is "baked in" from the beginning
"Ultimately, security becomes everybody's job, speed to delivery is enhanced, budget is maximized … and there is no surprise ending."

— GUS HUNT, Managing Director, Cyber Strategy Lead, Accenture Federal Services

Things you can do right now

Whether your organization is ready to embrace DevSecOps now or not, every agency can benefit from a close examination of current applications security practices. To balance business needs with security risks start by focusing on these key areas:

Set and enable standards

  • Develop a secure technical architecture integrated within the overarching business and security architecture.
  • Identify the necessary training and tooling to enable developers to effectively implement standards

Model threats to assess risk

  • Gain an understanding of the context in which an application will be used and the infrastructure in which the application will operate.
  • Assess the likelihood that a system will be a target and developing appropriate safeguards through threat modeling.
  • Develop security testing approaches that can be included in automated testing scenarios.

Test to identify vulnerabilities

  • Make testing a part of every development sprint.
  • Use basic testing to identify and flag areas with common mistakes, complement this with static application security testing (SAST, or "white box testing") to see if the application can be penetrated.
  • Implement dynamic application security testing (DAST) to evaluate security when an application is running.

Ensuring cyber resilience

Security by design, DevSecOps, is one of the five essential technology pillars needed to shift the balance of power away from our adversaries and tip the scales in our favor.

In our Cyber Moonshot paper we outline our thinking about each of these pillars.

Embrace the cloud for security

Engage in proactive defense

Demand a data-centric approach

Build in cyber resilience

View All

Gus Hunt

Cyber Strategy Lead

MORE ON THIS TOPIC

4 trends shaping the next generation of government
The nature of Cyber Resilience

Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter