What Biden’s executive order on cybersecurity means for web application security
The US government is rethinking its cybersecurity approach after recent high-profile cyberattacks. President Biden’s executive order from May 12th lays down some ambitious and noble goals to help protect agencies against current threats and bring them into the cloud-first software world. Let’s see what the order means for web application security specifically.
Your Information will be kept private.
Your Information will be kept private.
Learning from past mistakes
To anyone familiar with the cybersecurity headlines of the past year, the executive order is a clear response to the SolarWinds and Colonial Pipeline cyberattacks, calling out goals related to securing the software supply chain and critical infrastructure against future attacks and accelerating incident response. But beyond the reactive measures, it also attempts to reorganize and streamline the whole federal approach to cybersecurity to prepare for the future.
The document starts with a government commitment to “protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.” The direct recommendations that follow start with reactive measures focused on threats and attacks against networks and on-premises software. Section 3, however, looks ahead and urges government agencies to “accelerate movement to secure cloud services.” This is a pragmatic approach: we need to quickly close existing gaps and improve security here and now but also prepare the ground for long-term solutions.
What about web applications?
With web applications being the most common external vector for cyberattacks, it is clear that any moves to secure cloud services and future software products must include web application security. Reading between the lines of the executive order, many of the recommendations for ensuring software and network security also apply to web applications. For example, when improving the “detection of cybersecurity vulnerabilities and threats to agency networks,” organizations must take web vulnerabilities into account because a vulnerable web application may well provide attackers with an entry point into internal systems.
When you add recommendations to move to cloud solutions and zero-trust architecture, it is clear that secure web applications protected by robust authentication will dominate the software world in the future – a trend long confirmed by industry analysts. Building and maintaining this software will require application security testing that mirrors the latest capabilities of real-life attackers while also ensuring full test coverage with modern authentication methods. The order emphasizes the need for rapid response to security threats. Simply put, agencies can only be successful in this if their tools have powerful automation.
Innovating to build security into web development
One positive consequence of the SolarWinds hack is the growing awareness that modern software development relies heavily on external components, both commercial and open-source. Replacing the monolithic bespoke applications that dominated as little as a decade ago, today’s web applications, including commercial products, combine custom code and open-source components, with the latter commonly making up from 70% to 90% of the codebase. For web development, testing security across the software supply chain requires visibility into the security status of the entire software stack, including all open-source components and dynamic dependencies.
The order explicitly calls for “action to rapidly improve the security and integrity of the software supply chain” and criteria to “identify innovative tools or methods to demonstrate conformance with secure practices.” For web development, this requires visibility into the security status of the entire software stack, including all open-source components and dynamic dependencies. While not providing any immediate recommendations related to tooling, the order anticipates future requirements for:
“... employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release”
This is a direct call to incorporate automated security testing into the development pipeline – already a recommended practice for DevOps workflows but a tall order for less agile development approaches. Having a best-practice solution and process in place, complete with comprehensive reporting capabilities, will be especially important considering the further requirement of “attesting to conformity with secure software development practices.”
Ready for the future with modern DAST
Among other deadlines, the executive order gives the Director of NIST until July 12th to publish guidelines for software vendors related to software security testing. When these and other guidelines do arrive, both suppliers and government agencies will need solutions that deliver measurable improvements across the board – and quickly, considering the relatively short timelines. For web application security, a modern dynamic application security testing (DAST) solution is a highly effective way to get there.
Dynamic testing, whether manual or automated, is an indispensable part of any web application security testing process. Because it is performed on a running application, it most closely approximates the actions of real-life attackers by finding attack surfaces across the entire product. Modern DAST tools such as Invicti are no longer limited to their traditional role of late-stage testing and can be used at multiple stages of the software development pipeline, from development to production. Invicti, in particular, was built with accurate automation in mind and uses Proof-Based Scanning technology to deliver automatically confirmed vulnerability reports directly to developers for rapid remediation.
Rapid improvements today, streamlined security tomorrow
Considering the expectations set by the executive order, a versatile and accurate AppSec solution such as Invicti can help to cover many bases and get demonstrable results quickly. This includes testing all components of a running application, integrating security into development, performing pre-release testing, running regular tests on production applications, and using built-in reports to demonstrate compliance. While DAST is by no means the only approach to application security testing, it is certainly the one that can help you get maximum security testing coverage and measurable results quickly, regardless of your current development and operations workflows – and the clock is already ticking.