GovLoop

Why Government Must Revolutionize End-to-End Application Security

Business colleagues working together on a computer in an office.

Federal agencies face difficult challenges: cyberattacks, mobile access, data center consolidation, cloud deployments, complex application environments and constantly increasing network traffic. At the heart of it all, budget constraints demand smart, affordable solutions that make government systems more secure, resilient and flexible.

Applications are one way that governments are rising to the occasion. This rapid increase in government applications has created significant benefits for the public sector. New applications help agencies better meet constituent demands for streamlined, multichannel experiences, without requiring costly hardware replacements. They can also be developed to provide employees with innovative digital tools to do their jobs more efficiently.

“There’s no doubt: The government has heartily embraced digital transformation,” said Michael Plante, Vice President of Product Marketing in the Shape product group at F5. “And applications are a central part of this critical era in government.”

But as software applications transform government, they also expand its potential attack surface and increase the potential for fraud and abuse, particularly phishing attacks.

There is a reason attackers use phishing: It works. After 10 security awareness training events, organizations saw their employee click-through rate on phishing emails fall from 33% to 13%. But that also means that even after extensive training, employees will still click a phishing email 13% of the time.

When a phishing attack successfully installs malware, that malware is going to phone home over encrypted ports 54% of the time during the lull season and up to 68% during the peak U.S. holiday shopping season. If organizations are not unencrypting and inspecting traffic, there is a good chance malware is running undetected on their networks.

Attackers are also opportunistic. Given that we are still in the midst of a pandemic, agencies should be on high alert for phishing attacks against employees and people who interact with their applications. Psychological attacks that prey on fear and anxiety and target people seeking health information or the status of financial transactions and essential supply orders can exponentially increase during a time of crisis.

The Solution: A Modern Application Protection Platform to Prevent Fraud and Abuse

Anti-distributed denial-of-service (DDoS) solutions protect application infrastructure from being overwhelmed by volumetric denial-of-service attacks. And web application firewalls protect against injection flaws, cross-site scripting, known software vulnerabilities and the other attacks on the Open Web Application Security Project’s Top 10 risks list. But to stop credential stuffing, account takeover, fraudulent account creation and other invisible impersonation attacks against web and mobile applications, agencies need an additional defensive layer.

That defensive layer must be able to uncover the lies that attackers tell in response to three basic questions: 1. Are you human? 2. Are you good or bad? 3. Are you who you say you are?

The most accurate and effective solutions leverage highly sophisticated cloud-based analytics to discern good traffic from bad. Doing so dramatically reduces the time and resources agencies need to deploy world-class online fraud and abuse protection.

This shift must expand to include how criminals attack applications today — and an acknowledgment that this is different from how they attacked IT infrastructure in the past, Plante said.

To address this problem, modern technology solutions must bring new capabilities, such as artificial intelligence (AI), to bear, he said.

A modern application security platform must be able to maintain public trust by ensuring that sensitive data stored in accounts, including personally identifiable and benefits information, is safe. It needs to meet accessibility requirements, enabling universal access. Finally, it must be able to use AI so it can autonomously evolve ahead of attackers and provide actionable threat intelligence and security consultations.

This article is an excerpt from GovLoop’s recent report, “Why Government Must Revolutionize End-to-End Application Security.” Download the full report here.

Exit mobile version