The Cybersecurity and Infrastructure Security Agency has issued principles and guidance for secure software production, and over 150 companies have signed CISA’s “Secure by Design” pledge in just over two months. The fact that companies are pledging to improve developer practices in seven key areas — including adopting multi-factor authentication, proactive security patching and establishing vulnerability disclosure policies — is a great start, and advances what CISA Senior Advisor Lauren Zabierek describes as the “Secure By Design Revolution.” But to significantly improve software security practices, companies need to also make their development environments more secure.
One way to do that is to shift software development to the cloud. While this may seem contradictory, given that many federal agencies shied away from the cloud a decade ago due to security concerns, the practice is gaining popularity across industries today.
This is especially true in highly regulated environments like public sector technology. In a new report, Gartner projects that by 2027, 40% of organizations in highly regulated verticals will mandate the use of cloud development environments (CDEs), up from less than 10% in 2024.
What are CDEs?
CDEs are platforms which orchestrate workspaces — virtual machines or containers that developers can use to code online. They’re pre-loaded with the tools, libraries and dependencies developers need to start coding. Developers can log on and work in the cloud rather than be tied to a system on a physical hard drive.
For most organizations, CDEs’ main draw is their ability to improve developer experiences. Decoupling the development workspace from the physical workstation makes it easier for organizations to onboard developers, reduce friction in everyday tasks and provide more consistent configurations across their IT environments.
More organizations are recognizing how shifting development to the cloud can help them improve their security postures. In a recent survey, developers identified security as the top consideration when selecting CDEs, with nearly 44% of respondents listing it as a key factor in their decision.
This is important for federal agencies — and the contractors that serve them — for the simple reason that security breaches are still far from under control. Security events increased again in 2023 after three years of decline. The number of records exposed in these events also quadrupled between 2022 and 2023.
Here are three areas where moving development to the cloud can help software become more secure.
Source code
Security of source code and data, often in air-gapped networks, is critically important to federal agencies. CDEs help because they move source code and sensitive data into secure cloud locations, making it impossible to download code and copy files into a separate environment. CDEs take it a step further when they’re self-hosted so there is limited risk of any data leaving a government agency’s secure cloud.
Security policies
When developers are left to provision and maintain their own local development environments, they may not follow (or be aware of) internal security guidelines. The onus is on them to configure their own environments to comply with organizational regulations. Information is usually on FAQ documents, wikis or checklists, and it all has to be configured manually.
This can lead to inconsistent security practices. It becomes more difficult for IT leaders to enforce best practices like updating their local tools in a timely manner when a vulnerability is exposed. CDEs enable the source code and sensitive data to stay in the agency’s control in their infrastructure, whether it’s a hyperscaler’s cloud, or the agency’s own on-prem, air-gapped cluster. Patches are applied immediately with an audit trail. There are options to detail when workspaces are created, used and even what processes are running inside them.
Compliance
For government institutions, ensuring data sovereignty and compliance with regulatory standards can be difficult when data is distributed across numerous decentralized machines. CDEs help agencies comply with regulations by allowing them to self-host their development environments and store the data on existing, compliant systems.
Centralizing control over environments allows agencies more visibility into the development environment. And enforcing encryption becomes a lot easier when it’s a centralized activity rather than a decentralized device.
The continued rise in ransomware, phishing and AI-based cyberattacks across industries is forcing federal agencies to adopt new security strategies. Adding more protections and more control over software development environments gives them a valuable tool to ensure that software supply chains are secure not only by design, but also in practice.
Tim Quinlan is senior technical manager at Coder.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.