Filling a Gap in Federal DevSecOps

Keeping your entire organization focused on security with one data visualization tool.

As shown by recent security breaches such as the Solarwinds hack and the ransomware attack on the Colonial Pipeline, effectively managing security vulnerabilities is important and difficult. But security is increasingly a distributed responsibility in modern application development environments. So how can government CIOs and IT managers take advantage of DevSecOps pipelines while staying ahead of vulnerabilities?

Leveraging an off-the-shelf visualization tool that almost every government agency owns (Microsoft Power BI), TCG created a low-cost security dashboard to help agencies’ IT teams obtain a clear and comprehensive view of a security environment and track progress on remediation efforts.

The Security Vulnerability Dashboard created by TCG pulls data from the security monitoring software used by the agency, and structures the data so that those responsible can quickly identify and take action on vulnerabilities. The dashboard features:

  • Automated updating and syncing of information. The dashboard is updated in real-time.
  • View the entire history of vulnerabilities and remediation efforts.
  • Customizable mapping and filtering. Filter vulnerabilities based on the division responsible for them and mapped according to host names and the applications they affect.
  • Clear visualizations of vulnerabilities. Track vulnerability trends and identify recurring issues.

Screenshot of the Security Vulnerability Dashboard

Currently, most government agencies split responsibility for IT between application, operations, security, and program management teams. To address security vulnerabilities requires effective sharing of information about available patches and alerts. IT leaders must minimize the time and cost it takes to identify a vulnerability, share that information with individuals who can quickly act upon it, and perform the necessary work to remediate the issue.

Daily security scans produce volumes of data, usually in CSV files, often making fragile spreadsheets a default approach for reporting and tracking information on vulnerabilities. While commercial tools are available to consolidate all of this information, they are often costly and difficult to install in government without significant overhead. Without these tools, the raw data from security scans is unwieldy and time consuming to structure and communicate, resulting in a remediation process that is slow and disjointed. This leads to several problems:

  • Stakeholders may not become aware of key vulnerabilities for too long
  • The responsible individual from each division or department must pore over all of the data with little ability to filter out what is irrelevant to their group.
  • Gaining an accurate global picture of vulnerabilities across the organization and what actions have been taken to address them is difficult when tracking vulnerabilities.
  • The history of vulnerabilities and remediation efforts can be buried across daily reports.

Tenable, the market leader in security vulnerability scanning, provides dashboards for reporting security vulnerabilities and tracking remediation efforts. However, it requires each individual accessing them to have their own license. This means that creating transparency throughout the organization around security risks is costly, or that organizations must sacrifice transparency because they cannot afford the licenses for these tools.

This dashboard originated to meet the needs of a specific team in effectively structuring the vulnerability data they received from daily Tenable scans and faced with the aforementioned challenges. It can be easily shared among and beyond DevSecOps participants, each of whom has the ability to filter information relevant to them. As a result, the dashboard is now used throughout the organization, and can be deployed for other agencies, using tools they already own.

This work represents one way to create the transparency and speed needed to address vulnerabilities in a collaborative environment.