An IT modernization bill currently moving in Congress would be improved by a focus on building security into software from the very start of the development lifecycle.
That giant sucking sound you're hearing (especially if you're a frustrated federal network manager) is the noise made by legacy IT systems hoovering up more than 60% of federal IT spending. By comparison, IT modernization accounts for about 13% of total spending on government IT.
The Legacy IT Reduction Act would be a boon to agencies faced with the challenge of replacing or upgrading burdensome legacy IT that's often outdated, unreliable and, yes, costly to maintain. The bill would require (and fund) agencies to modernize outdated legacy IT systems and develop plans for updating and disposing of legacy systems. The shift to modernization would bolster security and save taxpayer dollars. Yet in the near term, the Legacy IT Reduction Act could create security issues.
A key feature of this bill is the requirement of the Office of Management and Budget to assist agencies, in the form of guidance, with identifying and modernizing legacy IT. Agencies' modernization plans would be due two years after the bill becomes law. This is yet another step forward in the fight toward improved network security. It complements the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model, a roadmap for developing agencies zero trust strategies and implementation plans.
But how can the bill, despite its good intentions and likely improvements, fail to acknowledge that poorly written code continues to be in wide use and is an equally important (perhaps greater) concern to software security? Working with congressional leaders, we must all ensure that this opportunity to mandate and fund modernization does not overlook fundamental application security requirements and empowers federal government technology leaders to secure their applications as they code. Now, more than ever, is the opportunity to "shift left."
In today's bustling cyber landscape, the concept of "shift left" is hard to miss. It focuses on building security into software from the very start of the development lifecycle, giving agencies a remarkable advantage in the fight against malicious hackers.
In addition to embedding security from the start, at the application layer agencies should take initiatives to regularly scan software for flaws and prioritize fixing vulnerabilities accordingly. Without tools to appropriately address application-layer security, simply updating legacy systems may not be enough to adequately promote robust cybersecurity.
It is increasingly important that responsible organizations apply application security principles that work across the globe. As the recent release of Veracode's State of Software Security version 12 report identified, when compared to several different industry sectors, government agencies have the highest proportion of applications exhibiting flaws, at 82%. The public sector also ranked last in terms of its ability to fix flaws once detected – roughly two times slower than other sectors. This emphasizes the need for stronger government software security. Beginning with the application layer is a proven way to address these vulnerabilities.
Initiatives such as OMB's zero trust memo, a software bill of materials , and CISA's aforementioned Zero Trust Maturity Model all help to outline the path toward zero trust architecture. The Legacy IT Reduction Act could benefit from incorporating, or at the very least pointing to, this guidance.
Overall, the Legacy IT Reduction Act has the right idea in tackling modernization – but it can be improved. The act must require agencies to implement software security testing. With only a 22% fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting applications critical to all aspects of life. A comprehensive software security platform is needed to provide the ultimate protection against cyberattacks before they occur, arguably more so in government agencies than anywhere else. The time is now for federal technology leaders to take action towards a future of secure systems. Shifting left can make this a reality.
Chris Wysopal is founder and chief technology officer at Veracode