“In the past, we’ve had residents that were relying on tools to know whether or not they have electricity, things at the very basic levels related to health and public safety.”
Veracode Helps California State Government Improve Time to Market and Integrate Security Into its SDLC
Veracode enables California Department of Technology to expand AppSec across its SDLC to meet regulatory requirements and increase consumer confidence.
The Challenge
CDT needed an AppSec vendor to unify its security processes across its scrum teams and help it deploy new software in a timely and predictable manner. If CDT misses a release deadline, the value of the new software plummets, even if the product is of higher quality. A good example is the California wildfires. CDT needed to create software to show where the fires were coming from – as well as areas susceptible to fires – to help with food, water, shelter, and other basic needs for residents and their livestock. In the case of this application, if it wasn’t released on time, the health and wellbeing of citizens would have been negatively impacted.
Another concern for CDT was its ability to meet regulatory requirements. California has some of the strictest security regulations in North America – for example, California adopted the National Institute of Standards and Technology’s (NIST) Security and Privacy Controls for Federal Information Systems and Organizations 800-53 as a security standard. Without a comprehensive AppSec program that included the necessary security assessments and supporting programs in place, CDT could face strict penalties or employee termination.
The Solution
California has approximately 500 state agencies, all of which need a standardized application security solution. CDT was the first California state agency to create an AppSec program, so it needed to find a vendor that could support all of the agencies. This meant the AppSec solution needed to be easy to implement, maintain, and scale. CDT believed Veracode met all of these needs while also ensuring rapid deployments and compliance with regulatory requirements.
CDT started by implementing Veracode Static Analysis and leveraging its IDE Scan. The IDE Scan is important to CDT because it helps developers write secure code in the development phase, avoiding costly rework from code errors identified in production.
CDT was also quick to take advantage of Veracode’s integrations and automation in the continuous integration (CI)/continuous delivery (CD) pipeline. Veracode is compatible with more than 30 out-of-the-box integrations, plus APIs and code samples.
The Results
Since selecting Veracode, CDT has realized many positive outcomes. The CDT team explained that Veracode has been very hands-on, providing all of the resources needed to be successful. Cost avoidance has been one of the major advantages. With the amount of sensitive data housed by a government agency like CDT, it could have endured a very costly data breach.
Veracode’s solution is cloud-based, meaning CDT was able to start scanning its code right away. All CDT had to do was create a username and login. Cloud-based AppSec solutions are also maintenance-free, meaning CDT no longer has to pay additional employees to maintain a server. And not only is CDT happy with the lack of server maintenance, employees are too. Employees are now able to help with more critical and strategic tasks, which has improved employee morale and reduced turnover. CDT developers were also quick to recognize benefits. With the IDE Scan, developers are improving their secure coding practices and reducing rework. Cost-saving from the lack of rework has been substantial. In fact, a single change management action used to take countless and hours and cost around $100,000 per hour. Now, developers can see code errors prior to the code being pushed out.
Secure coding practices have also resulted in faster time to market for new software deployments. Scott Gregory, Chief Technology Innovation Officer at CDT stated in a recent GitHub article, “In the past, we’ve had residents that were relying on tools to know whether or not they have electricity, things at the very basic levels related to health and public safety.” So faster deployment time is a huge win.
Developers are scanning more applications and remediating more vulnerabilities (460 vulnerabilities at the last count). This is because the application security scans are integrated into their current tools and processes. That means developers can quickly and easily scan applications and, using a flaw classification list provided by Veracode, remediate vulnerabilities. Prior to using Veracode, developers at CDT were scanning code for security in a more ad hoc fashion and at later stages of the development cycle, which was both time- consuming and complex.
The future is bright at CDT. Security professionals, a role that is traditionally overworked, are able to concentrate more on compliance and less on training developers to write secure code. Most importantly, CDT has created a proven process for other California government agencies to leverage CDT’s approach to a secure SDLC. In fact, CDT would like to become the center of excellence for other agencies looking to implement an AppSec program. Its goal is for 90 percent adoption of the technology, in every agency, state-wide. If every agency in California is able to implement Veracode’s AppSec solutions, the state’s applications will be more secure, innovation will increase, and software releases will be exponentially faster.
About California Department of Technology (CDT)
California Department of Technology (CDT) manages an important subset of software deployed for the State of California. One of its main responsibilities is maintaining the www.ca.gov site which acts as a portal for anyone looking to interact with government program support in California, including the state’s 39 million residents and 65 million annual visitors. The program support ranges from applying for a grant for student aid or for a business license to accessing food stamps and citizenship resources. Needless to say, it’s vital that the site is user friendly, responsive, and – most importantly – secure.