The effect of President Biden’s security order on web application vendors

Do you want to sell your web applications to US government agencies? We have bad news and good news. The bad news is: President Biden just made it more difficult for you. The good news is: Acunetix® can make it much easier.

The SolarWinds breach reminded the US government that everything is connected. In the real world, your security is not just about you. If the business builds a web application, its security depends on the security of every partner the business has. That means every library that is used and every piece of software that the application is based on.

All these things are interconnected and a security failure in one can ultimately cause consequences in the product that is being delivered. As a result of this realization, and with the scale tipped by the latest Colonial Pipe attack, President Biden has instructed government agencies to prioritize their cybersecurity, including the cybersecurity of every piece of third-party software and hardware that they use.

Executive Order on Improving the Nation’s Cybersecurity

On May 12, the White House published a new presidential order called the Executive Order on Improving the Nation’s Cybersecurity. This order imposes very strict expectations onto all US federal government agencies. In most cases, agencies have only 60 days (until July 11, 2021) to build and document new processes and procedures.

These procedures are going to make third-party selection more difficult for software creators. Basically, you will have to meet very strict cybersecurity standards if you want to sell anything to the US government. And you will have to be able to prove it.

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

An amazing opportunity for you

As part of this executive order, government agencies will also have to reevaluate their current IT solutions. This means that many legacy solutions will not meet the required cybersecurity standards and will have to be replaced soon.

“Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector.”

This presents an amazing opportunity to application creators, especially in the case of web applications, to differentiate themselves from competitors and provide proactive and strong proof that your web applications meet stringent security standards.

“The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.”

This is where Acunetix comes in.

How to beat your competitors

The federal government is aware that vulnerabilities are one of the most common entry points in the case of security breaches. They are also aware that there are automated tools, such as Acunetix, that can help find and eliminate such vulnerabilities.

“Within 90 days of publication (…) the Secretary of Commerce acting through the Director of NIST (…) shall issue guidance identifying practices that enhance the security of the software supply chain. (…) Such guidance shall include standards, procedures, or criteria regarding: (…) employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.”

President Biden’s guidelines clearly state that the government agencies are expected to require their providers (you) to employ automated tools that check for known and potential vulnerabilities. Obviously, in the case of web vulnerabilities, this means a web vulnerability scanner. These guidelines also clearly recommend software that can work regularly, such as Acunetix, which by design is made to be integrated into the SDLC and therefore protect your software as early as possible, not just at a minimum prior to product, version, or update release.

“The Federal Government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities (…).”

How to gain an advantage with Acunetix

You may ask: why Acunetix in particular? What edge do I get with Acunetix over my competitors who may be using other products?

Here are some arguments:

  • Acunetix is the first and most established web vulnerability scanner on the market. The product history and stability are important factors of evaluation for government agencies.
  • Acunetix is provided by Invicti, a specialized US-based company that focuses fully on web application security, unlike most of its competitors.

At the moment, Acunetix provides you with several compliance reports suitable for federal agencies, including:

  • NIST Special Publication 800-53 report, which covers the recommended security controls for the Federal Information Systems and Organizations.
  • DISA STIG Web Security report – the Security Technical Implementation Guide (STIG) is a configuration guide for computer software and hardware defined by the Defense Information System Agency (DISA), which is part of the United States Department of Defense.
Tomasz Andrzej Nidecki
Technical Content Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.

*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: