Narrowing of the attack threshold for parliamentary applications
Cybersecurity and application development
Finland
Use case ID: 045
Author: Parliament of Finland
Date: 1 July 2024
Objective:
Narrow the attack threshold for parliamentary applications by using automated static application security testing (SAST) to ensure the quality of developers’ application code and to detect potential security gaps in the source code.
Actors:
- Software vendor’s developers
- Parliamentary IT office staff
- Artificial intelligence (AI)-powered SAST tool
Prerequisites:
- SAST licences acquired, application installed, and access to the product for developers
- SAST check configured as mandatory
- All SAST tool requirements (e.g. for organization, projects, main branches, code quality and metrics) met
- SAST tool forming an integral part of the everyday coding process, and familiar to and desired by developers
- A resource for checking that corrections are made according to the results produced by the SAST tool and revalidated
Scenario:
- The software developer opens the SAST tool from a specific address.
- The software developer logs into a specific organization with the given credentials.
- The SAST tool analyses the code as the developer works with each new commit and warns of any code quality and security issues based on their type and severity.
- The software developer fixes the problems in code quality and/or security issues and revalidates.
- When the intended coding task is completed, the software developer logs out of the tool.
Alternate flows:
- All new or changed lines are considered new code. Note that when existing code is modified, old problems may appear. They are also prioritized because, this way, the entire codebase is gradually cleaned up with little effort.
Expected results:
- Applications are more secure, with fewer security holes exposing the organization to attacks.
- Coding is more efficient and code quality is improved.
- A new policy is implemented, through which the organization improves the reliability of its software development process.
Potential challenges:
- Gaps in the definitions of tool presets
- Excessive reliance by software developers on the SAST tool’s detection ability, which could lead to the software product having security flaws that the SAST could not warn about
- Slow-down in the software development process if the developer is not used to using the tool
Data requirements:
- To analyse the new code, the SAST needs a reference point, which can be either the previous version number or the time.
Integrations with other systems:
- Coding platform
- SAST system
- Multi-factor authentication (MFA)
Success metrics:
- Did the amount of software code per sprint increase as the project progressed?
- How many vulnerabilities are there in the code during a sprint?
- How many critical vulnerabilities per sprint?
- Has a successful security audit been carried out by a trusted third party?