State Department employing continuous automated testing in software development

0

The Bureau of Diplomatic Security at the State Department is working on establishing a continuous integration/continuous deliver (CI/CD) pipeline with security involved throughout the process of development, from the beginning to end. State Department cybersecurity experts are split into red and blue teams to collaborate and improve the agency’s security.

“On the blue team side we do a lot of work where we have created an artifact called a blue scorecard, where some of the applications that our system owners would like to be assessed and they have created metrics so that they can provide the system owners with a scorecard and then provide some findings based on vulnerabilities or misconfigurations that they have seen based on previous institutional knowledge as well as things that we see from industry,” said Manny Medrano, director of cybersecurity monitoring and operations at State Department on Federal Insights — Best Practices in Secure Software Development.

Meanwhile, red team testing may have similarities with penetration testing, but there is a specific difference between the two. Pen testing is a security assessment that focuses primarily on identifying and understanding strengths and weaknesses in a system. Red team testing at the State Department has a specific objective and is more time consuming as the process goes through multiple stages.

The State Department is working close with the Bureau of Information Resource Management (IRM) on the future of coding and automation, bringing in continuous pen testing, continuous vulnerability assessment and findings, and continuous remediation.

“Everything that we do, it has code and that’s extremely important. Even if we say low code, no code, there’s still code that is involved. The key is the configuration, and how much of that configuration or the coding is manual. That is the challenge that industry and government agencies have today. The more that it is automated and the more … code that is built by constant best practices and that is not modified by a human, then the better it is,” Medrano said.

With artificial intelligence growing as an essential tool in the cybersecurity space, Medrano is concerned, but embraces using it in their automated process solutions while still having human interactions validate the findings.

“We’re definitely learning as we go, we’re maturing as we go as well to make sure that we work with the industry to do pen testing for AI models. We’re engaging getting our SoC involved as well,” Medrano told the Federal Drive with Tom Temin. “AI is great, it definitely can become an enabler. To me, it’s not going to replace the human. It’s not. You still need that validation. And even our [chief information officer] continues to say that. Now, can it help us to automate and to streamline? Absolutely. And I’m all for that. So in my job right now, the office that I lead is to use AI as an enabler, but then also to build our capabilities to defend against bad AI models.”

The State Department is a diplomatic agency that holds building relationships at the highest regard. Medrano said while technology is not going to solve all the problems, relationships with developers and building trust will go a long way as part of the mission.

One thing that we have done is we have built relationships with a lot of our service providers. This is a team sport. So that means that we all have to work together. We engage with cloud service providers, also other providers, and then we work with them together to do any penetration testing. And that may well be [infrastructure-as-a-service, platform-as-a-service or software-as-a-service.] Between the SoC, red team, blue team and the engineering team, they’re all mixed. What we learned is they learn from each other and that brings that diversity in the different parts. I think that’s extremely important, especially in today’s complex world,” he said.

Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.


link

Leave a Reply

Your email address will not be published. Required fields are marked *