The Office of Management and Budget (OMB) released a memorandum on August 10, 2021, in response to Executive Order (EO) 14028, Improving the Nation’s Cybersecurity. The EO recognizes the importance of software security to protect against malicious cyber attacks that threaten the American people’s security and privacy.
The memorandum provides instructions agencies must implement in phases, in an effort to meet the goals of the EO. Agencies now have 60 days to identify 12 types of critical software that they are using on-premises or are in the process of acquiring for on-premise use.
Once agencies identify those software installations, the OMB is giving them 12 months to implement the latest software protections outlined by the National Institute of Standards and Technology (NIST) on July 8, 2021. NIST issued Security Measures for “EO-critical Software” to rapidly identify, document, and mitigate known vulnerabilities (e.g., patching, updating, upgrading software to supported version) to continuously reduce exposure time.
Scanning and testing web applications is not new but many vulnerability management processes have become antiquated leading to long software release cycles. As demonstrated by recent ransomware hacks and breaches, agencies are left vulnerable when cybersecurity best practices are ignored in an effort to expedite the release of applications. The most common tools to address application vulnerability management are outlined under NIST 800.53 SA-11 guidelines which specifically call for dynamic application security testing (DAST) and interactive application security testing (IAST) platforms.
Modern DAST & IAST platforms optimize software release cycles and security compliance for on-premise web applications by:
- Leveraging auto-discovery mechanisms to ensure that all assets are identified, scanned, and protected.
- Automatically validating vulnerabilities through proof-of-exploit technologies.
- Integrating into software development life cycles (SDLC) for remediation of vulnerabilities within existing workflows and improved collaboration between AppSec and DevOps teams.
The federal government’s ability to perform its critical functions depends on the security of its software. It is therefore imperative that agencies utilize modern web application security tools to protect against today’s sophisticated malicious cybercampaigns. Invicti’s DAST & IAST solutions can help agencies continually diagnose and mitigate security for all web applications, as recommended by NIST 800.53 SA-11 and mandated by the OMB memo.
When supported by best-of-breed web application security testing solutions, agencies will be able to meet the new regulatory requirements and ensure the security of public information and critical infrastructure without compromises.
Get the latest content on web security
in your inbox each week.