Skip to main content

Narrowing of the attack threshold for parliamentary applications

Finland

Use case ID: 045

Author: Parliament of Finland

Date: 1 July 2024

Objective:

Narrow the attack threshold for parliamentary applications by using automated static application security testing (SAST) to ensure the quality of developers’ application code and to detect potential security gaps in the source code.

Actors:

  • Software vendor’s developers
  • Parliamentary IT office staff
  • Artificial intelligence (AI)-powered SAST tool

Prerequisites:

  • SAST licences acquired, application installed, and access to the product for developers
  • SAST check configured as mandatory
  • All SAST tool requirements (e.g. for organization, projects, main branches, code quality and metrics) met
  • SAST tool forming an integral part of the everyday coding process, and familiar to and desired by developers
  • A resource for checking that corrections are made according to the results produced by the SAST tool and revalidated

Scenario:

  1. The software developer opens the SAST tool from a specific address.
  2. The software developer logs into a specific organization with the given credentials.
  3. The SAST tool analyses the code as the developer works with each new commit and warns of any code quality and security issues based on their type and severity.
  4. The software developer fixes the problems in code quality and/or security issues and revalidates. 
  5. When the intended coding task is completed, the software developer logs out of the tool.

Alternate flows:

  • All new or changed lines are considered new code. Note that when existing code is modified, old problems may appear. They are also prioritized because, this way, the entire codebase is gradually cleaned up with little effort.

Expected results:

  • Applications are more secure, with fewer security holes exposing the organization to attacks.
  • Coding is more efficient and code quality is improved.
  • A new policy is implemented, through which the organization improves the reliability of its software development process.

Potential challenges:

  • Gaps in the definitions of tool presets
  • Excessive reliance by software developers on the SAST tool’s detection ability, which could lead to the software product having security flaws that the SAST could not warn about
  • Slow-down in the software development process if the developer is not used to using the tool

Data requirements:

  • To analyse the new code, the SAST needs a reference point, which can be either the previous version number or the time.

Integrations with other systems:

  • Coding platform
  • SAST system
  • Multi-factor authentication (MFA)

Success metrics:

  • Did the amount of software code per sprint increase as the project progressed?
  • How many vulnerabilities are there in the code during a sprint? 
  • How many critical vulnerabilities per sprint?
  • Has a successful security audit been carried out by a trusted third party?

 

The Use cases for AI in parliaments collection is published by the IPU’s Centre for Innovation in Parliament as part of the Parliamentary Data Science Hub’s project to create guidelines for AI governance in parliaments.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International licence. It may be freely shared and reused with acknowledgement of the author and the IPU. 

A use case describes how a system should work. It is used to plan, develop and measure implementation. A use case is not the same as a case study, which is a descriptive text of an actual project’s implementation. Please note that this use case is provided “as is” and neither the IPU nor the author accepts any responsibility for its use.

For more information about the IPU’s work on artificial intelligence, please visit www.ipu.org/AI or contact [email protected]