By Mark Townsend, Vice President of Professional Services at Invicti Security
With access to some of the world’s most sensitive and secure data and systems, the U.S. Department of Defense is a natural candidate to lead innovation on zero trust security. To that end, the department has set an ambitious five-year goal to deploy zero trust-based technologies at a pace equal to or exceeding industry advancements to stay ahead of the changing threat environment.
As this happens, the zero trust initiative will usher in new changes in how agencies create and maintain web applications. Let’s examine how zero trust is likely to evolve in DOD environments over the next few years, and the pivotal role application security is playing in that evolution.
The zero trust implementation drive
While the basic value of zero trust as a cybersecurity approach is now widely understood, the optimal strategies for implementing zero trust in DOD systems continue to evolve as new tools and techniques become available. DOD offers a Zero Trust Framework to guide agency efforts, but each agency still needs to fine tune that framework when applying zero trust to its own specific IT and operational environment.
Complicating this path is the fact that zero trust isn’t just about cybersecurity; it’s also tied to broader modernization efforts that need to happen across the enterprise — from device access and data flows, to network monitoring, processes automation, visualization tools and more. Among these many implementation priorities, however, two areas in particular stand out for their critical role in ensuring zero trust security.
The first involves data and the need for agencies to leverage cloud services to securely manage sensitive data and information sharing across the enterprise. The second critical area is the need for better orchestration via API standardization, process automation and related efficiencies. Better AppSec is the key to satisfying these requirements for DOD agencies.
Five top priorities for the zero trust AppSec playbook
While every specific organization in the DOD environment will need to tailor its zero trust AppSec approach to the nature of operations, here are five key priorities that should appear in any successful playbook:
- Accelerate with outside expertise — Though nearly all DOD agencies have some internal cybersecurity expertise, these security professionals are often stretched thin and need support from partners with expertise and perspective who can help with smooth implementation, integration and customization.
- Integrate security testing into development and operations — Websites and application security should not be an afterthought. It is crucial to adopt a DevSecOps approach with automation and security testing integrated into the application development process that also includes modern dynamic application security testing and interactive application security testing.
- Map your entire attack surface — Map out the entire online presence to understand the agency’s attack surface. This often includes maintaining a software bill of materials and web asset discovery tools to build a central inventory of all websites and applications.
- Update, test, and maintain your incident response plan — Make sure to test procedures and refine them regularly. Run simulated incidents to assess the effectiveness of response and recovery processes and to identify any gaps. Make sure to also have a suitable backup and restoration plan.
- Make security everyone’s responsibility — Most cybersecurity incidents are tied to malware and ransomware triggered by someone clicking a phishing link or other exploit. Cybersecurity awareness and education must be an everyday part of a DOD agency’s culture for every employee and contractor
Reaping value from zero trust AppSec
Web application security is essential to zero trust and has a strong impact on DOD’s ability to apply the Zero Trust Security Model to real-world systems. Using the five priorities above as guidelines, a well-implemented AppSec solution can be seamlessly integrated into application workflows to revolutionize zero trust use cases across DOD.
As an example, consider the time-consuming challenge of weeding through alerts, many of which may be false positives. By automating scanning and key parts of the investigative process, agencies can continuously secure all web assets without overwhelming security teams with manual validation tasks. Fixing vulnerabilities becomes more simple, systematic and proactive — especially when ticketing and alert systems are configured to help automatically trigger scans in response to software integration events.
Cyber threats remain a constant, but DOD organizations now have a plan for a bold response using zero trust security models. The right AppSec approach can contribute to this effort by ensuring zero noise, fewer false positives and more efficient operations via automation. Throughout, agencies maintain complete visibility and control over web application security across all environments to bring stronger zero trust protections to the entire DoD IT ecosystem. As an AppSec vendor offering a DOD validated containerized deployment, Invicti is here to help. Learn more how the DoD can adopt a zero trust strategy in our recent white paper for advancing security strategies.