According to the article, the Web applications being developed for government agencies and entities are less secure than those being developed in private enterprises. In my post, I looked at some of the reasons why they’re less secure and also discussed ways the government could correct the issue.
While I was authoring that post, I started thinking about the systems in use at government agencies in general. Many of these legacy systems were developed years ago and hosted within the agency in dedicated datacenters.
Many of these legacy applications aren’t documented properly. Over time, the programmers who initially developed the applications move on. When it comes to testing and improving the security of these systems, this causes some roadblocks.
With the actual developers gone and the systems poorly documented, a significant amount of additional work is needed to find vulnerabilities and patch them. The cost to investigate, recode, and fully test these programs can be quite high and in some cases cost prohibitive.
But the additional cost of legacy systems doesn’t end at security and testing. Because of the same issue with documentation and missing developers, the cost to maintain legacy systems is very high. In addition, many of these systems are hosted using dedicated and expensive datacenter resources.
That’s a huge, annual cost to the federal government over time, and there are many of these systems across the federal government landscape.
To help to eliminate these expensive and antiquated legacy systems, many government agencies are working to create replacement applications that utilize open-source software and are developed, tested and ultimately hosted in the cloud.
However, this can create some addition security challenges.
In addition to the issues I discussed in my previous post, many developers in the federal government simply don’t conduct the rigid security testing needed during the entire lifecycle of the application development process. Depending on the technical capabilities of the government information system security officer, these steps may or may not be enforced.
As we discussed, the federal government has a huge target on its back do to the sensitive information that it stores and the many enemies that it has. Legacy systems remain a huge cost and security liability for agencies. However, as they look to move forward from their legacy systems and begin to develop new applications, they need to be sure that their security testing is strict and constantly occurring during the entire development lifecycle.