Fannie Mae continues to step up its security practices, a priority it set almost a decade ago.
Speaking at an Amazon Web Services Summit in Washington D.C. Thursday, Chita Elango, senior director of application security at Fannie Mae, said the government-sponsored enterprise will further decentralize security, which will improve risk management practices across the business.
The agency is doing this by leveraging AWS to build out a solution that correlates vulnerabilities across different services, thereby increasing the deployment of secure applications. Fannie has been using AWS for security purposes since 2019. Other speakers of the event included representatives from Freddie Mac, the Central Intelligence Agency and Deloitte.
Integrating security into the government-sponsored enterprises’ DevOps pipelines has been a lengthy journey, which first started in 2015. Around that time, Fannie hired a new Chief Information Security Officer, Christopher Porter, to be in charge of the security department.
“Like every other company, Fannie had gaps. It is not perfect, we were developing applications at a very fast pace but we weren’t concentrating on security,” Elango said. “Developers would complain that there are too many tools, too many vulnerabilities and [that they didn’t know what to prioritize.]”
In response to this, the agency launched a one-year course to train its developers — the majority of whom are contractors — to become “security champions.”
“We started training developers in the form of a classroom. There would be lectures and assignments and open office hours and they would come with questions,” she said. “I’m proud to say that we have around 300 developers who are security champions who are helping this cause.”
Actions to improve the security of Fannie’s applications are ongoing, with the enterprise conducting annual risk-based assessments, such as vulnerability scans to make sure that security measures are solidly in place.
“We [work with] stakeholders where we do real simulations and if there are gaps we start fixing them,” Elango noted. “We also have vendors come in to perform external testing and some of this is unannounced [to find vulnerabilities.]”
The executive also added that its tech department is taking a modern, “shift-left” approach that makes security tooling directly available to developers, allowing them to find and remediate security issues earlier on in the application development lifecycle.
Ramon Richards, Fannie Mae’s chief information officer, earlier last year emphasized that cybersecurity would be a priority for the enterprise in 2023, along with moving some of the enterprise’s systems into the cloud.
“We’re focused on retiring our legacy assets. We don’t want to be in a place where we’ve done a lot of new cool things, but we have this technical debt, this legacy in place,” he said. “We’re very deliberate about retiring our legacy and we’ll continue to focus heavily on staying current with how cybersecurity is evolving.”
Fannie Mae’s ability to invest and modernize its technological capabilities contrasts with other housing agencies, such as the Department of Housing and Urban Development, which has been heavily criticized for its outdated information technology framework.
A recent report published by the Government Accountability Office flagged HUD’s management of its IT infrastructure and cybersecurity protocols as needing attention.
Part of this difference stems from the GSE’s having an increased budget to finance bigger modernization efforts than its counterparts.