SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Public sector IT teams must adopt a new approach to app security
Tue, 7th Mar 2023
FYI, this story is more than a year old

As public sector organisations have ramped up their digital transformation programs to meet rapidly evolving citizen needs and enable hybrid work during the pandemic, application release velocity has skyrocketed. But application security has largely failed to keep pace, and, for many organisations, this is now presenting a major problem.

In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 90% of public sector technologists admit that the rush to rapidly innovate and respond to the changing needs of end users has come at the expense of robust application security during software development.

Technologists are struggling to manage soaring volumes of emerging cyber threats across an increasingly dynamic and fragmented IT environment. And this is making public sector agencies ever more vulnerable to potentially catastrophic cybersecurity attacks.

In response, government technologists urgently need to integrate security into every stage of the application lifecycle. DevSecOps, where development and security teams work hand-in-hand, enables developers to embed robust security into every line of code, resulting in more secure applications and easier security management before, during and after release.

Worryingly though, the research suggests that public sector IT departments are falling behind in the transition to DevSecOps, compared with other industries. Government technologists express concern that their organisations don’t have the right skills and tools in place to manage new security threats.

It’s, therefore, critical that technologists act now to address this escalating issue, adopting a security approach for the full application stack.

Application security vulnerabilities exposed by siloed approach

Within most organisations, security teams (SecOps) have traditionally operated separately from the rest of the IT department. Security has often been perceived as a reactive function, brought in to resolve security breaches and patch up vulnerabilities. Indeed, 61% of public sector technologists regard security as an inhibitor, rather than an enabler, of innovation, more than their counterparts in any other industry.

But the shortcomings of this siloed approach are being dramatically exposed as the speed of application development accelerates. In particular, wholesale adoption of cloud-native applications and architectures, with application components increasingly running on a mix of platforms and on-premise databases, is leading to a significant expansion of attack surfaces. This is leaving major visibility gaps for IT teams, with current security solutions unable to provide a comprehensive view of their organisation’s security posture.

Technologists are being bombarded with security alerts from across the application stack, and they can’t cut through the data noise to understand the risk level of security issues and prioritise remediation based on end-user impact. In fact, more than half of public sector technologists admit that they are overwhelmed by the volume of security threats and vulnerabilities to their organisation - they simply haven’t got enough time and resources to manage a constantly changing and ever more complex application security landscape. The result is that many IT teams are ending up in ‘security limbo’, doing nothing because they simply don’t know what to focus on and prioritise.

Public sector technologists must accelerate the shift to DevSecOps

Faced with this growing challenge, IT leaders recognise the need for much closer collaboration between teams and a more proactive approach to application security. DevSecOps brings together ITOps and SecOps teams so that application security and compliance testing are incorporated into every stage of the application lifecycle, from planning through to shipping.

However, the research finds that the public sector has been slow to begin the move to DevSecOps, with only a third of IT departments having started to transition to this new approach. More than half of public sector entities are still just considering DevSecOps.

Evidently, given the heightened risks they are facing, IT departments need to switch to DevSecOps as a matter of urgency. Technologists need to be prepared to go outside their comfort zone, putting aside entrenched mindsets and embracing a more collaborative and open way of working. They also need to develop new skills and look to extend their knowledge beyond their own specific discipline - they will need to become both specialists and generalists in their skills and outlook to succeed in a cloud-native environment.

As well as cultural change, DevSecOps relies on the implementation of holistic monitoring systems which leverage automation and AI technologies within application security processes. This is the only way for IT teams to cope with the spiralling volumes of security threats organisations are facing.

This type of automation is vital to identify weaknesses, predict future vulnerabilities and remediating issues. Once IT teams can teach AI tools to identify threats and resolve them independently of an admin, the benefits are game-changing - reduced human error, increased efficiency, and greater agility in development.

Ultimately, DevSecOps will see application security become an accelerator for innovation rather than a barrier. By taking a proactive approach to security throughout the lifecycle of their applications, public sector technologists will spend less time trying to identify and resolve issues and more time on strategic activities based on citizen needs.