Guest Editorial by Chris Wysopal, Founder and CTO of Veracode
As the year unfolds and the government’s digital transformation develops apace, networks’ attack surfaces continue to expand.
Out of necessity, federal IT experts are preparing for cybersecurity risks that could threaten vulnerable IT assets this year and beyond. The government’s challenge is to use ubiquitous IT tools – like cloud services, mobile technology, and artificial intelligence – to meet mission objectives while maintaining cybersecurity.
To attain those goals, the government must think differently.
Traditional IT practices – from how the government develops software to its outdated reliance on perimeter security – aren’t adequate in an era of IT modernization, cloud migration, accelerated digital innovation, and sophisticated cybersecurity threats.
(Millions of vulnerabilities are discovered and exploited regularly across all industries. The average cost of a data breach is over US$3 million. Learn about CodeSentry, a Binary Software Composition Analysis (SCA) tool derived from GrammaTech’s ground-breaking binary code analysis research. Courtesy of GrammaTech and YouTube.)
Last year, a statement by President Biden on “our Nation’s Cybersecurity” acknowledged cyber threats to the public sector and the country’s critical infrastructure – and the need to shore up domestic cyber-protection initiatives.
Executive orders (EOs) issued by the administration (“Improving the Nation’s Cybersecurity” and “Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government”) challenge government development teams to quickly build and deploy software while simultaneously improving customer experience (CX) and securing data and systems. It’s a tall order.
Veracode’s annual State of Software Security (SoSS) 2023 report found that the public sector has the highest proportion of security flaws in its applications compared to other industries.
In addition, public-sector organizations consistently have some of the lowest (and slowest) fix rates of any economic sector.
The good news is that agencies have never had more quality options for securing applications.
By leveraging technologies and platforms developed to detect, verify, and fix vulnerabilities, they can implement secure-by-design programs for critical software.
Software Bills of Materials (SBOMs)
Last September, the White House’s Office of Management and Budget released a memo requiring federal agencies to begin using SBOMs in the coming year. In 2023, simply knowing what’s in the software used by agencies will improve security.
Historically, code used to build software has largely been opaque, resulting in “black box” applications. There was no easy way for developers or users to know what was in software, including digital tools critical to government operations and security.
SBOMs pull back the curtain on software opacity by providing a list of components inside applications, much like labels on prepared foods list the ingredients baked into consumable products.
Software is consumable, too. Providing developers transparency into the code they use to build applications will give agencies “the IT equivalent of a government-mandated food label,” said Dr. Allan Friedman, a senior adviser, and strategist at CISA, who spoke at Veracode’s 2022 Build Trust Summit.
SBOMs will enable developers to make informed choices about software creation, leading to better security outcomes.
Highlighting the benefits of using SBOMs and their imminent adoption in the public sector, Dr. Friedman said work is underway to “scale and operationalize” supply chain transparency.
(Learn more by listening in on Veracode and Cybeats as they engage in a discussion breaking down all of the details from creation to strategies around SBOMs. Courtesy of Veracode and YouTube.)
Zero Trust
2022 was the year that the government’s shift to a zero-trust architecture became real to many federal IT professionals. In prior years, zero trust had seemed theoretical, like flying cars or quantum computing.
Zero trust has become an important shift in securing IT networks and data.
The era of the castle-and-moat security architecture model has gone the way of jousting and dragon slaying. Federal agencies must adapt to no-perimeter security.
(Understand more. A zero-trust approach aims to wrap security around every user, every device, and every connection — every time. Unify and integrate your security tools to protect your most valuable assets and proactively manage threats. Courtesy of IBM Technology and YouTube.)
Zero trust takes a holistic approach to cybersecurity, enabling agencies to quickly develop secure software – instead of choosing between speed or security.
With the expansion of digital services, federal agencies must secure the software supply chain and adopt zero-trust cybersecurity principles.
By mandate, government agencies must implement zero-trust infrastructure. CISA’s Zero Trust Maturity Model provides a framework for developing advanced cybersecurity and cites application security as a main pillar of the model.
The emphasis on application layer security compels agencies to address security concerns earlier in software development. Among developers, this concept is referred to as “shifting left.”
Software Supply Chain Security
The security of software supply chains is demanding more attention in 2023. That’s because supply chains deliver applications and code used to build new software, including those that support national defense, public safety, healthcare, and financial transactions.
Flaws in applications create exploitable vulnerabilities that have the potential to compromise military operations, public utilities, medical machines, and financial records.
Veracode’s annual State of Software Security 2023 report offers a simple prescription to the challenges of supply chains and, more generally, the potential vulnerability of software: reduce security debt and avoid introducing security flaws that accumulate over the life of your applications.
Where applications are concerned, the report found no steady state of security.
(See a quick snapshot of what Veracode uncovered during our annual State of Software Security (SoSS) report. Courtesy of Veracode.)
Following their initial development, applications grow by about 40 percent annually. As applications age, security scans scrutinize what military operators call “target-rich environments,” including hard-to-find flaws.
To maintain a high level of application hygiene, it’s important to use various scan types to identify vulnerabilities, some of which are detectable by only one type of scan.
An Ounce of Prevention is Worth a Pound of Cure
Agencies must place a significant focus on securing software and applications.
Incorporating SBOMs, coupled with the move to address the fourth pillar of the zero-trust framework (the application pillar, as noted above) and a concerted effort to secure the supply chain, will allow agencies to have a more comprehensive security program in 2023 and beyond.
(BREAKING NEWS… Veracode recently launched Veracode Fix, a new AI-powered product. Trained on Veracode’s proprietary dataset, Veracode Fix suggests remediations for security flaws found in code and open-source dependencies. Courtesy of Veracode and YouTube.)
About the Author
Chris Wysopal is Co-Founder and Chief Technology Officer at Veracode, which pioneered the concept of using automated static binary analysis to discover vulnerabilities in software. He is a member of the executive team. Before Veracode, Chris was vice president of research and development at security consultancy @stake, which Symantec acquired.
In the 1990’s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on government security and how vulnerabilities are discovered in software.
Chris started his career as a software engineer that built commercial software and then migrated to the specialty of testing software for vulnerabilities.
He researched software security for the first vulnerability research think tank, L0pht Heavy Industries, from 1994-1999. He is one of the authors of L0phtCrack, the Windows password auditing program. He is the author of Netcat for Windows, an open source security tool.
Chris has led highly productive and innovative software development teams. He has performed product strategy and product management roles.
He is the author of “The Art of Software Security Testing” published by Addison-Wesley. Chris served on the Black Hat Review Board for ten years and is now a Black Hat Ambassador.
Chris is a much sought-after expert on cybersecurity. He has been interviewed for most major technology and business publications, including New York Times, The Washington Post, WSJ, Forbes, Fortune, AP, Reuters, Newsweek, Dark Reading, MIT Tech Review, Wired, and many networks, including BBC, CNN, ABC, CBS, CNBC, PBS, Bloomberg, Fox News, and NPR. He has keynoted cybersecurity and technical conferences on four continents.
GrammaTech Takes Platinum for Best SBOM Solution in 2022 ‘ASTORS’ Awards Program
American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now entering it’s Eighth Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.
Best SBOM (Software Bill of Materials) Solution
-
CodeSentry
-
Enterprise organizations are using hundreds of pre-packaged
commercial-off-the-shelf (COTS) business applications for communication, project management, productivity, billing, HR/payroll, ERP, CRM, BI, and more using open-source software components to innovate faster, accelerate time-to-market and lower development costs; however, research finds that 100% of widely used applications contained vulnerable open source components.
-
The security risk to organizations from a vulnerable software supply chain is high. Hackers are actively exploiting vulnerabilities in widely reused open-source libraries within applications, and they have already leveraged apps like Slack, Zoom, Microsoft Office.
-
While organizations have traditionally trusted software vendors to manage security risk associated with the applications they produce, the increasing frequency of software supply chain attacks is forcing enterprises to proactively address risk themselves.
-
GrammaTech CodeSentry quickly analyzes COTS applications to identify the use of open source components and detects any associated security vulnerabilities. CodeSentry generates standard format SBOMs (SPDX and CycloneDX), derives a proprietary security score, and detects zero-day and N-day vulnerabilities, even when source code is unavailable.
-
CodeSentry features an easy-to-use upload interface and multiple output formats that are accessible to IT, risk, and security professionals without programming experience. For high-security businesses and government agencies, CodeSentry is available as an on-premises solution. Others can use the scalable, Software-as-a-Service (SaaS) option.
-
GrammaTech has extensive experience conducting advanced research in application security for defense agencies including the DOD, DARPA, Army and Navy. CodeSentry originated from one of these advanced research projects. GrammaTech’s researchers developed highly complex algorithms that can identify all software components, including custom code, vendor libraries, third-party code, and OSS for software mapping and look-up and N-day and zero-day vulnerabilities. These algorithms work even when source code is unavailable.
(At least 90% of corporations use third-party software, and 95% of proprietary or custom software applications they create contain third-party components. To overcome this blind spot in assessing third-party software inventory and risk, CodeSentry allows security professionals to measure and manage the risk associated with open-source vulnerabilities in third-party software quickly and easily. Courtesy of GrammaTech and Youtube.)
-
*GrammaTech was also recognized in the 2021, and 2020 ‘ASTORS’ Homeland Security Awards Program.
The continually evolving ‘ASTORS’ Awards Program will highlight the trail of Accomplished Women in Leadership in 2023 and the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders. Because #MentorshipMatters.
So be on the lookout for exciting upcoming announcements of Speakers, Presenters, Book Signing Opportunities, and Attendees at the 2023 ‘ASTORS’ Awards Presentation Luncheon in November of 2023 in New York City!
Nominations are currently being accepted for the 2023 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.
Comprehensive List of Categories Include:
| Access Control/ Identification | Personal/Protective Equipment | Law Enforcement Counter Terrorism |
| Perimeter Barrier/ Deterrent System | Interagency Interdiction Operation | Cloud Computing/Storage Solution |
| Facial/IRIS Recognition | Body Worn Video Product | Cyber Security |
| Video Surveillance/VMS | Mobile Technology | Anti-Malware |
| Audio Analytics | Disaster Preparedness | ID Management |
| Thermal/Infrared Camera | Mass Notification System | Fire & Safety |
| Metal/Weapon Detection | Rescue Operations | Critical Infrastructure |
| License Plate Recognition | Detection Products | COVID Innovations |
| Workforce Management | Government Security Programs | And Many Others to Choose From! |
Don’t see a Direct Hit for your Product, Agency or Organization?
Submit your category recommendation for consideration to Michael Madsen, AST Publisher, at: mmadsen@americansecuritytoday.com.
Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border and crime rates that are dramatically higher than before the Pandemic across the United States.
These challenges have become a national priority with an influx of investments in innovative new technologies and systems.
Enter American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields, with a circulation of over 75,000 readers and many tens of thousands more who visit our AST website at www.americansecuritytoday.com each month.
The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Ceremony Luncheon Banquet, an exclusive, full-course plated meal event, in the heart of New York City.
The 2022 exclusive sold-out ‘ASTORS’ luncheon featured representatives of law enforcement, public safety, and industry leaders who came together to honor the selfless service of those who stand on the front lines and those who stand beside them – providing the capabilities and technologies to create a safer world for generations to come.
Last year marked the 20th anniversary of the Department of Homeland Security (DHS), which came out in force to discuss comprehensive collaborations between private and public sectors that have led to the development of intelligence and technologies which serve to protect our nation.
The keynote address was provided by U.S. Customs and Border Protection (CBP) Office of Field Operations (OFO) Deputy Executive Assistant Commissioner (DEAC) Diane Sabatino, who described the changes to CBP through the tragedy of 9/11 and the relentless commitment to its mission and ongoing investment in the latest technologies and innovations to protect our borders and Homeland.
The resounding theme of the DEAC’s remarks was her pride in the women and men of the CBP and their families who support them.
AST was also joined by Legendary Police Commissioner William Bratton, who spoke about his love for the City of New York, the Profession of law enforcement to which he has dedicated his life, and for which he continues to drive thought leadership and innovation.
New York City Police Department (NYPD) Chief of Department Kenneth Corey, came out to address Luncheon attendees and shared some of his experiences and the changes in policing he’s witnessed over his more than three decades of service.
FDNY Chief Joseph Jardin honored the men and women of the FDNY, not only those who currently serve but all of those who have selflessly served, with special recognition of those lost on 9/11.
Chief Jardin spoke about the continuing health battle of many following 9/11 with cancer and respiratory disease, yet now knowing the full consequences, would not have made a different decision to respond.
As Chief Jardin noted, mission-driven service is the lifeblood of every firefighter, volunteer, and sworn member, and has been so throughout the history of the Fire Service.
Former head of the FBI’s active shooter program, Katherine Schweit joined AST to sign complimentary copies of her book, ‘STOP THE KILLING: How to End the Mass Shooting Crisis, thanks to the generosity of our 2022 ‘ASTORS’ Awards Sponsors.
The 2022 ‘ASTORS’ Awards Program was Proudly Sponsored by NEC National Security Systems (NSS), ATI Systems, Automatic Systems of America, guardDog AI, Fortior Solutions, IPVideo Corporation, Rajant Corporation, RX Global, and SIMS Software!
We were pleased to welcome the esteemed New York City Fire Department (FDNY); the New York City Police Department (NYPD); and the NYC Hospital Police, as well as Executive Management from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and many other DHS agencies, Federal law enforcement agencies, and private/public partnerships such as the National Association of Women Law Enforcement Executives (NAWLEE), the 30×30 Initiative, a coalition of professionals advancing the representation of women in policing; and Operation Lifesaver, Inc. (OLI) (rail safety advocates).
The prestigious Annual ‘ASTORS’ Homeland Security Awards Program highlights the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition and keep our Nation safe – one facility, street, and city at a time.
In 2022 over 240 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields.
Each year, to keep our communities safe and secure, security dealers, installers, integrators, and consultants, along with corporate, government, and law enforcement/first responder practitioners, convene in New York City to network, learn and evaluate the latest technologies and solutions from premier exhibiting brands at ISC East, the Natural Disaster & Emergency Management Expo (NDEM EXPO), and the ASIS NYC Expo.
ISC East is the Northeast’s leading security & public safety event, hosted in collaboration with sponsor Security Industry Association (SIA) and in partnership with ASIS NYC.
Corporate firms, the majority of which return year to year to build upon their Legacy of Wins, include:
Advanced Detection Technologies, AMAROK, ATI Systems, Axis Communications, Automatic Systems, BriefCam, Canon U.S.A., Cellbusters, CornellCookson, CyberArk Fortior Solutions, guardDog.ai, Hanwha Techwin of America, High Rise Escape Systems, IPVideo Corporation, Konica Minolta Business Solutions, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogic, Select Engineering Services LLC, Singlewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and West Virginia American Access Control Systems, just to name a few!
Why American Security Today?
The traditional security marketplace has long been covered by a host of publications putting forward the old-school basics to what is Today – a fast-changing security landscape.
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state, and local levels as well as from private firms allied to the government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
To learn more, please see the 2022 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2022 ‘A Year in Review.’
The Annual CHAMPIONS edition reviews ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.
The 2022 CHAMPIONS serves as your Go-To Source through the year for ‘The Best of 2022 Products and Services‘ endorsed by American Security Today – and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware, and Networking Security – to name a few), the 2022 ‘ASTORS’ CHAMPIONS EDITION has what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.
It also features guest editorial pieces from some of the security industry’s most respected leaders and recognized firms in the 2022 ‘ASTORS’ Awards Program.
For more information on All Things American Security Today, as well as the 2023 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos
