Best practices for implementing secure legislative management systems

The legacy skills gap has been a creeping issue in recent years as key staff retire. Organizations are looking to upgrade, save costs and improve their systems. However, with a continued escalation in cybercrime, it is essential that your state is upgrading its system with the right security controls from the get-go. Indeed, security must be a core attribute of your entire delivery chain, not just implemented at the point of system implementation and integration. Focusing on security aspects of the running software is important, however without securing the delivery chain producing the software or system, you have potential entry points for malicious actors to exploit.

It is critical that a robust security practice is carried out to cover this full lifecycle, with frequent reviews and evaluation of the process and related systems as a whole.

Practically, this means looking at things like:

  • Controlling and monitoring access to source code
  • Source code analysis
  • Dependency monitoring – ensuring all third-party dependencies in your software are patched and up to date.
  • Implementing a code review process
  • Controlling and monitoring access to deployed environments
  • Vulnerability scanning
  • Establishing a process for updating systems

Without securing the delivery chain producing the software or system, you have potential entry points for malicious actors to exploit.

1. Controlling and monitoring access to source code

Very few people actually need the ability to update source code directly. Evaluating who has access to modify the primary copy of source code is an important exercise to ensure access is granted according to true business need rather than convenience. Fewer people with direct access means fewer opportunities for social engineering attacks, account hijacking, etc.

2. Source code analysis

Leverage tools like SonarQube to continuously scan source code to identify known security issues or insecure programming patterns while the software is being built. These tools typically have access to large databases of known vulnerabilities and can give reports on code security against vulnerabilities your team might not even be aware of.

3. Dependency monitoring

All software uses third-party packages or libraries in some shape or form. Often these packages are outside the scope of your own development process, meaning another approach is needed to ensure that those packages are up to date and not vulnerable to attack. Tools like GitHub Dependabot scan the public package registries and known vulnerability databases to notify you of any known security issues affecting your dependencies, with advice on how to mitigate or upgrade as appropriate.

4. Implementing a code review process with automated quality and security checks

Code review is a must-have for building any enterprise software solution. Code review ensures multiple sets of eyes have reviewed a code change and evaluated the use of best practices as well as consistency, optimization, and overall quality. Integrating automated code analysis and dependency monitoring into this process gives a real-time view of how a change could impact the security standing of the software before the change is even approved.

5. Controlling and monitoring access to deployed environments

Once your software has been deployed, it is critical to ensure that access to the deployed environments is limited to those with a clear business need, and that the appropriate level of access is granted according to that business need. All access to environments should be monitored for review and/or reporting at a later date if required. Access should also be reviewed on a regular basis to ensure the provisioned access controls continue to be appropriate and accurate.

6. Vulnerability scanning and monitoring

Once environments have been provisioned, a process needs to be established for monitoring the infrastructure to ensure it maintains a strong security standing. This involves keeping packages patched and up to date, monitoring activity on the infrastructure, and monitoring configuration to ensure alignment with internal and external standards such as CIS benchmarks. This process should be automated to ensure consistency and accuracy, and only require human intervention to review and action any findings.

7. Implementing a patching policy and process

Without a clear process for updating and patching systems, you run the risk of missing updates or applying updates inconsistently. It is important to outline up-front what your patching process is and ensure awareness across the team responsible for managing the systems in question.

Protecting legislative data into the future

Against an ever-evolving cyber landscape, modernizing legislative management systems can be a minefield particularly in the current hiring climate where the expertise is so in-demand. Talk to us about what our managed service option can do for your organization.