The Efficiency Revolution: How Software and Security Engineers Are Streamlining Processes
It sounds like the beginning of a bad joke: Who is lazier, software or security engineers? While there isn’t a punchline, the reality is that both developers and engineers are finding innovative ways to reduce their workloads. But don’t call them lazy; perhaps "efficient" is a better descriptor. This shift towards efficiency is particularly evident in organizations like the Army Software Factory, the Social Security Administration (SSA), and the U.S. Citizenship and Immigration Services (USCIS), where the focus is on accelerating the deployment of new capabilities while maintaining robust security measures.
The Push for Automation
Angel Phaneuf, the Chief Information Security Officer for the Army Software Factory, emphasizes the importance of automation in her team’s workflow. During the Federal News Network’s Cyber Leaders Exchange 2024, she stated, “I personally don’t want to go through line by line of code review. I would rather just look at an automated dashboard through a process and then audit my automation.” This sentiment reflects a broader trend in the industry: the desire to streamline processes and minimize manual oversight.
Phaneuf’s approach highlights a key aspect of modern software development—focusing on the efficiency of pipelines. By ensuring that automated processes are functioning correctly, engineers can spend less time on tedious reviews and more time on strategic oversight. This shift allows for quicker iterations and faster deployment of new features, ultimately benefiting both the developers and the end-users.
Empowering Development Teams
Shane Barney, the CISO for USCIS, echoes Phaneuf’s sentiments. He believes that empowering development teams to take on traditional security responsibilities is essential for enhancing software security. “We have really driven a lot of our security — what we call traditional security — off onto our development teams,” Barney explained. By allowing developers to conduct static and dynamic code analysis themselves, the security team can focus on runtime analytics and understanding system behavior.
This approach not only fosters a sense of ownership among developers but also enhances their ability to predict release timelines. “They actually feel like they’re more in control,” Barney noted, contrasting this with the frustration of having a security team impose restrictions on releases. By placing developers in the driver’s seat, organizations can cultivate a culture of accountability and proactive security measures.
Innovative Practices: Code Batching
At the SSA, a novel practice known as code batching is being employed to enhance security processes. Tim Amerson, SSA’s deputy CISO, described code batching as a semi-annual exercise designed to ensure developers are equipped with the necessary skills to write secure code. This training model focuses on best practices derived from the Open Worldwide Application Security Project (OWASP) Top 10 vulnerabilities, which often stem from coding oversights.
Amerson emphasizes that the goal is not to assign blame but to enhance efficiency. “If we can build those best practices from the get-go, we’re all becoming lazy,” he said. The idea is that by embedding security practices into the development process, teams can avoid the pitfalls that lead to vulnerabilities, ultimately protecting both agency and citizen data.
Shared Responsibility in Security
The trend towards shared responsibility in securing code is becoming increasingly prevalent across various agencies. As organizations adopt more Software as a Service (SaaS) solutions and commercial applications, ensuring the security of these external software products is paramount. One effective strategy for achieving this is through the implementation of Software Bills of Materials (SBOMs).
The Army has announced plans to incorporate SBOMs into new contracts involving software by February 2024. Phaneuf noted that the Army Software Factory already utilizes SBOMs to track software packages and their associated vulnerabilities. “You can’t fix what you don’t know you have,” she stated, underscoring the importance of transparency in software supply chains.
The Role of SBOMs and Vendor Transparency
SBOMs serve as a crucial tool for organizations to understand the components of their software and identify potential vulnerabilities. However, Amerson cautions that the process must be automated to ensure continuous validation. “The process cannot rely on a paper document that’s out-of-date as soon as it’s printed,” he said. This automation is vital for maintaining an up-to-date understanding of software security.
Moreover, Amerson is exploring the concept of a Code Bill of Materials (CBOM), which would provide insights into the individual code components sourced from various vendors. This approach aims to enhance visibility into potential vulnerabilities that may arise from third-party code, ensuring a more comprehensive security posture.
Addressing Third-Party Risks
While SBOMs and CBOMs are valuable tools, Barney raises concerns about their effectiveness in addressing risks associated with large cloud providers like Amazon Web Services, Google, and Microsoft. “Where I get a lot of concerns is from third-party risk,” he explained. Many applications used within an organization may not be directly related to their coding practices, yet they can introduce vulnerabilities that remain hidden from view.
This highlights the need for a holistic approach to security that encompasses not only the software developed in-house but also the myriad of third-party applications and services that organizations rely on. As the landscape of software development continues to evolve, so too must the strategies employed to secure it.
Conclusion: A New Era of Efficiency
The shift towards efficiency in software and security engineering is not about laziness; it’s about embracing automation, empowering development teams, and fostering a culture of shared responsibility. By leveraging innovative practices like code batching and SBOMs, agencies like the Army Software Factory, SSA, and USCIS are paving the way for a more secure and efficient software development process.
As organizations continue to navigate the complexities of modern software development, the focus on efficiency will remain paramount. By prioritizing automation and collaboration, they can not only enhance their security posture but also ensure that they are well-equipped to meet the challenges of an ever-evolving digital landscape.