Home Security app CISA’s zero trust maturity model is a rallying cry for modern web...

CISA’s zero trust maturity model is a rallying cry for modern web application security


Increasingly sophisticated cyber attacks against federal agencies underscore the urgent need to improve federal cybersecurity. To help with this, CISA released the Zero Trust Maturity Model to help agencies implement the Zero Trust Architecture (ZTA) – and modern AppSec solutions are a crucial part of that effort.

DevOps experience

What is the CISA Zero Trust Maturity Model?

In direct response to Executive Decree 14028, Improve the country’s cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance on zero trust architecture. CISA urges agencies to develop cybersecurity plans based on zero trust concepts: preventing unauthorized access to data and services and making access control enforcement as granular as possible. Newly released CISA Zero trust maturity model aims to help agencies design ZTA implementation plans.

ZTA, as defined by National Institute of Standards and Technology (NIST) is “an enterprise cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies.” The federal government faces a number of challenges in transitioning to ZTA, the most obvious being that legacy systems rely on implicit trust, which conflicts with the concept of adaptive trust inherent in ZTA.

These tips from CISA are the latest to highlight a larger theme for agencies: As everything moves to the cloud, the need to test and secure everything – including a growing number of web applications – has become paramount. Traditional or legacy approaches that focus on the network layer are no longer sufficient to deal with cyber threats.

A deeper dive into pillar 4: application workload

The fourth pillar of the document specifically describes traditional, advanced, and best-in-class approaches to functions such as threat protection, application security, and governance capability.

Traditional approaches to threat protection and application security are described as those that are not integrated into application workflows and where the agency performs application security testing prior to deployment, primarily through methods static and manual testing.

On the other hand, in an optimal approach, the agency deeply integrates threat protections into application workflows, making application security testing a central aspect of the development and deployment process, including testing. regular automated systems for production applications. The document also calls for continuous and dynamic monitoring of application health and security, as well as granular testing policies and reporting to strengthen critical governance capabilities.

A call to action for modern web application security

In each of these cases, the push for the optimal approach to securing application workloads is a clear call to the level of orchestration, automation, and governance that can only be provided by modern testing solutions. web application security.

CISA says, “Continuous integration and continuous deployment models that incorporate testing and security verification at every stage of the process can help provide assurance on deployed applications. In doing so, it is clear that the modern AppSec requires the ability to move to the left and integrate into the Software Development Lifecycle (SDLC), bringing security into development as early as possible.

But the agencies cannot stop there. CISA continues, “This methodology can be applied across the entire application lifecycle to include health and safety monitoring, by external and internal means, of deployed applications, including every component of the workflow. of an application. When moving to the left, agencies cannot lose sight of the big picture. This section advocates for regular analysis and new automated tests to cover the large attack surface that remains exposed on the right (applications in preparation and in production).

Why modern AppSec is the only way forward for agencies

Although at first glance a relatively small part of ZTA’s recent guidelines, web application security will have a disproportionate impact on the ability of agencies to deliver compliant applications at scale. The more than 1.9 billion web applications in use today can have serious vulnerabilities that put government agencies at risk, and there is no unimportant application.

As agencies around the world move towards a cloud-centric environment where data and functionality can be accessed from anywhere in the world, it is essential that they have modern solutions that provide full visibility into every website. and every application. Modern vulnerability analysis approaches such as Invicti’s DAST and IAST solutions can help agencies continuously diagnose and mitigate security risks for all of their web applications.

When supported by modern web application security testing solutions, agencies will be able to meet the latest ZTA guidelines and in so doing help improve federal cybersecurity and keep information secure. public and critical infrastructure.


Lindsey Stalnaker
Federal Marketing Manager

Lindsey Stalnaker is the Federal Marketing Director for Invicti Security, the company behind Acunetix and Netsparker. A marketing professional for nearly a decade, she specializes in digital marketing, content creation and event management for the public sector.

Source link


Please enter your comment!
Please enter your name here