Best Practices for Implementing Secure Legislative Management Systems

Greg Chapple
Chief Technology Officer
November 18, 2022

The legacy skills gap has been a creeping issue in recent years as key staff retire. Organizations are looking to upgrade, save costs and improve their systems. However, with a continued escalation in cybercrime, it is essential that your state is upgrading its system with the right security controls from the get-go. Indeed, security must be a core attribute of your entire delivery chain, not just implemented at the point of system implementation and integration. Focusing on security aspects of the running software is important, however without securing the delivery chain producing the software or system, you have potential entry points for malicious actors to exploit.

It is critical that a robust security practice is carried out to cover this full lifecycle, with frequent reviews and evaluation of the process and related systems as a whole.

Practically, this means looking at things like:

Controlling and monitoring access to source code
Source code analysis
Dependency monitoring – ensuring all third-party dependencies in your software are patched and up to date.
Implementing a code review process
Controlling and monitoring access to deployed environments
Vulnerability scanning
Establishing a process for updating systems

Without securing the delivery chain producing the software or system, you have potential entry points for malicious actors to exploit.

1. Controlling and monitoring access to source code

Very few people actually need the ability to update source code directly. Evaluating who has access to modify the primary copy of source code is an important exercise to ensure access is granted according to true business need rather than convenience. Fewer people with direct access means fewer opportunities for social engineering attacks, account hijacking, etc.

2. Source code analysis

Leverage tools like SonarQube to continuously scan source code to identify known security issues or insecure programming patterns while the software is being built. These tools typically have access to large databases of known vulnerabilities and can give reports on code security against vulnerabilities your team might not even be aware of.

3. Dependency monitoring

All software uses third-party packages or libraries in some shape or form. Often these packages are outside the scope of your own development process, meaning another approach is needed to ensure that those packages are up to date and not vulnerable to attack. Tools like GitHub Dependabot scan the public package registries and known vulnerability databases to notify you of any known security issues affecting your dependencies, with advice on how to mitigate or upgrade as appropriate.

4. Implementing a code review process with automated quality and security checks

Code review is a must-have for building any enterprise software solution. Code review ensures multiple sets of eyes have reviewed a code change and evaluated the use of best practices as well as consistency, optimization, and overall quality. Integrating automated code analysis and dependency monitoring into this process gives a real-time view of how a change could impact the security standing of the software before the change is even approved.

5. Controlling and monitoring access to deployed environments

Once your software has been deployed, it is critical to ensure that access to the deployed environments is limited to those with a clear business need, and that the appropriate level of access is granted according to that business need. All access to environments should be monitored for review and/or reporting at a later date if required. Access should also be reviewed on a regular basis to ensure the provisioned access controls continue to be appropriate and accurate.

6. Vulnerability scanning and monitoring

Once environments have been provisioned, a process needs to be established for monitoring the infrastructure to ensure it maintains a strong security standing. This involves keeping packages patched and up to date, monitoring activity on the infrastructure, and monitoring configuration to ensure alignment with internal and external standards such as CIS benchmarks. This process should be automated to ensure consistency and accuracy, and only require human intervention to review and action any findings.

7. Implementing a patching policy and process

Without a clear process for updating and patching systems, you run the risk of missing updates or applying updates inconsistently. It is important to outline up-front what your patching process is and ensure awareness across the team responsible for managing the systems in question.

Protecting legislative data into the future

Against an ever-evolving cyber landscape, modernizing legislative management systems can be a minefield particularly in the current hiring climate where the expertise is so in-demand. Talk to us about what our managed service option can do for your organization.

Cookie	Duration	Description
__widgetsettings	Persistent	This cookie is set by Twitter – The cookie allows the visitor to share content from the website on to their Twitter profile.
_gat	session	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
YSC	.	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
lang		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
timezone		This cookie is used to store the time preferences of a user.

Cookie	Duration	Description
_exposure_session	2 weeks	This cookie is set to help display embedded brochure from exposure.co, publishing platform for photographers and visual storytellers.
1P_JAR	4 weeks	This cookie is used to stores information about how the user uses the website, recent searches or any other interactions with advertisements before visiting the website. This information is used to provide the users with personalized advertisments..
ANID	2 years
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user’s interest and display personalized ads to the users.
VISITOR_INFO1_LIVE	65 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	30 mins	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location.

Best Practices for Implementing Secure Legislative Management Systems