Author: lstanton

Posted on

Application Security Testing (AST) — reduce your cybersecurity risk

“Improving the Nation’s Cybersecurity” is a top priority across all federal agencies. Constant and fast-paced application innovation is the new norm of today’s digital enterprise. Vulnerabilities are waiting to be exploited by adversaries and their increasingly sophisticated malicious attempts such as the Log4J application exploitation.

The Office of Management and Budget’s (OMB) Memorandum 22-09 specifically charges agencies to operate dedicated Application Security Testing (AST) programs for a stronger and more robust cyber posture. Early and continuous AST minimizes the risk of sensitive data exposure and system compromise. To prevent most application security threats, agencies need a dedicated AST program that implements a variety of tools to continuously assess and address application vulnerabilities throughout the Security Development Life Cycle (SDLC).

The software development lifecycle begins with analysis before moving to design, development, and testing. Next comes deployment and finally, maintenance.

AST tools

Testing requirements and guidance released by OMB, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency will make applications more resistant to security threats and identify security weaknesses and vulnerabilities. Ultimately, the goal is to create a holistic AST program of automated tools and manual testing that continuously examines applications as they are developed and continue through the SDLC. AST methodologies can be categorized into:

  • Automated AST relies on written code/test scripts and tools to test and validate an application. It can be completed in less time than manual testing and covers more test permutations; however, it does require heavy coding and maintenance.
  • Manual testing is executed by human security testers to discover complex bugs for which automated testing cannot detect or to resolve automated testing’s false positives. It requires a substantial level of expertise, effort, and time.

An AST program uses a variety of tools throughout the SDLC, many of which are described in the table below.

A table that highlights AST testing tools, their purpose, proactive or reactive scanning, low false positives, and cost. Static application security testing is used to examine source code for weaknesses. Dynamic application security testing is used to find security vulnerabilities in a running environment. Interactive application security testing analyzes code for vulnerabilities by simulating scenarios in a running environment. Mobile application security testing identifies vulnerabilities in applications used with mobile platforms during or post development. Software composition analysis identifies open-source software in codebase. Manual testing examines all essential features to find more complex and logical vulnerabilities.

Top AST threats

According to the Open Web Application Security Project (OWASP), the top three application security threats are broken access control, cryptographic failures, and injection.

A table featuring best practices and AST tool(s) to address broken access control, cryptographic failure, and inject vulnerabilities.

Third-party application security testers

Another component of a dedicated AST program is the use of independent third-party application security testers who specialize in identifying vulnerabilities internal staff may miss. These expert firms have the skills and certifications required to provide high-quality results and ensure applications hold up against real-world cyber attacks.

GSA cybersecurity resources

GSA created the AST Buyer’s Guide to help federal agencies meet AST program requirements, provide Third-Party Application Security Tester selection criteria, and address application security threats. It provides an overview of AST, key considerations when implementing an AST program, and helps identify and procure AST offerings to improve your agency’s application security posture.

To make the acquisition experience easier and more efficient, GSA also provides useful resources like an AST summary sheet, AST statement of work template, and AST informational video. These and many other resources can be found at www.gsa.gov/ast.

GSA cybersecurity support

The GSA IT category team is available to answer questions and provide subject matter expertise related to purchasing AST, cybersecurity, and a full range of IT products and services. Please contact the IT customer service center at 855-ITaid4U/855-482-4348 or itcsc@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

Posted on

GSA supports National Strategy to Secure 5G with new acquisition guidance

GSA’s Acquisition Guidance for Procuring 5G Technology supports an ongoing, multi-agency effort to document and share best practices for optimal 5G deployments.

National Strategy

As discussed in past posts, the Federal Government views 5th generation (5G) wireless technology as a future driver of the global economy. It also views the security of 5G information and communications technology and services infrastructure, and the data transmitted and stored on it, as a key national security interest. In addition to protecting data on the network, a trusted, secure supply chain is also paramount. We cannot ensure the security of 5G networks if untrusted equipment or software is allowed to control any part of them.

The National Strategy to Secure 5G is our country’s game plan to manage the risks associated with next generation wireless technologies and the new use cases they open up. GSA’s role is to establish acquisition processes and facilitate federal agency adoption of 5G infrastructure with appropriate security safeguards and adherence to national policies. The desired outcome is a resource that helps agencies identify their standards, specify security controls, and catalog other relevant requirements to provide a secure 5G infrastructure.

GSA guidance

Screenshot of the front page of the "GSA Acquisition Guidance for Procuring 5G Technology" with a white and navy background. There is a colorful technology graphic at the bottom right of the screen.
Download the PDF at buy.gsa.gov or order physical copies at cmls.gsa.gov.

The subject matter experts behind our Wireless Mobility Solutions contracts applied this directive to the early 5G use cases they were observing at various agencies. We coordinated extensively with the interagency Federal Mobility Group, and we incorporated valuable input from experts in other agencies and industry. The result is our Acquisition Guidance for Procuring 5G Technology, a plain-language white paper that charts the progression of 5G in the public sector, outlines its core standards, explores government use cases, and delves into acquisition strategies that balance flexibility with security requirements. In particular, the Guidance features:

  • Tools and strategies for contracting 5G – A model acquisition process that details how technical staff should go about defining requirements and how contracting staff should use them to structure a solicitation.
  • 5G use cases in government – A living list of 5G use cases and pilot programs applicable to the public sector;
  • Standards for 5G – A detailed accounting of the international and U.S. standards that are used to determine requirements for 5G;
  • General background – A plain language narrative describing the evolution of cellular technology, the capabilities 5G offers, its relevance to the public sector, efforts underway to secure it, and its potential to shape future telecommunications products and services.

The wheel keeps turning

A six-sided "5G Wheel" in shades of purple depicting what the GSA Acquisition Guidance for Procuring 5G Technology features: Technology, Standard, Security, Policy, Acquisition, and Use Case.
The “5G Wheel” is one model of visualizing the components that enable resilient deployments.

We’ve previously described our “5G for Government” strategy as the understanding of six core concepts: Technology, Standards, Security, Policy, Acquisition, and Use Cases. Use cases are the real-world applications that agencies are pursuing, or want to achieve. Acquisition is the nuts and bolts of getting the solution in place in the most efficient and effective way. Once you understand the technology, know the standards, consider the security aspects, and are up-to-date on governmentwide policies, then it’s time to plan and execute. If you think of this strategy as a circle or wheel, the Use Case is the end of one cycle and the beginning of another. Each rotation strengthens our collective understanding of what makes a 5G deployment secure and successful. The Acquisition Guidance for Procuring 5G Technology is GSA’s first effort to distill this collective knowledge into a usable format to help government technology managers, their contracting offices, and trusted industry partners buy, build, and use secure 5G systems. As a living document, the Guidance will be frequently reviewed to keep pace with changing technology, ensure governmentwide cybersecurity requirements are accurate, and incorporate feedback from stakeholders. Send feedback, questions, and suggestions to wireless@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.