As the cyber threat evolves, adversaries are increasingly targeting non-publicly disclosed vulnerabilities in the software supply chain. Attackers are able to stealthily travel between networks because to a vulnerability in the supply chain. To combat this risk, the cybersecurity community must center its efforts on protecting the software development lifecycle.
Global initiatives to secure the supply chain
When it comes to our software's safety, the developer's hands are the ones that must be held most responsible. The events leading up to the SolarWinds attack were investigated by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and the Computer Security Industry Association, and the findings indicated that resources should be allocated toward developing a set of best practices tailored to the requirements of software developers.
In response to these findings, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) released Securing the Software Supply Chain for Developers, which aims at helping developers achieve security through industry and government-evaluated recommendations. This document is a compilation of several helpful guidelines that have been released for programmers to use.
Similar initiatives have been taken by the European Union. The recently proposed EU Cyber Resilience Act aims to address the inadequate level of cybersecurity inherent in many products, or inadequate security updates to such products and software.
Shift left is a burden, a survey finds
These government-led initiatives are required because reports indicate that the so-called “shift left” approach to embedding security into the software development processes has not lived up to its promises. For example, 60% of a CloudBees survey participants reported that a shift left approach is more of a burden than an enabler of security.
However, shifting left is only part of the equation. The same research found that around half of executives say their development team is spending too little time on what they believe should be the priority because of compliance and security protocols (56%), and expertise related to security and compliance (47%). They point to concerns about security (75%) and compliance (76%), in particular, as impediments to innovation.
Attempting to move to the left is having a major effect on both product delivery and the developer experience. The majority of executives claim that their teams devote more than half of their time on managing risk and technical debt, while only allocating around a third to innovation. Consequently, requiring developers to spend more time on security and compliance will have a negative impact on the amount of time they have available to work on projects that actually offer value.
Despite these results, most executives in the C-suite prefer a shift left approach, which puts security and compliance in the hands of the developers. In fact, 77% of C-suite executives say they are presently using a shift left security and compliance approach, and 83% feel the approach is vital for their firm.
“These survey findings underscore the urgent need to transform the software security and compliance landscape. As DevOps matures, security and compliance have taken center stage as a source of significant friction,” said Prakash Sethuraman, Chief Information Security Officer at CloudBees. “While shift left is a popular talking point, it is not yielding the desired results. Instead, it is further burdening development teams and taking their attention away from value-added work. What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation.”
Shift left is dead. Long live shift left!
Nowadays, around 30% of new code is written by businesses themselves. The vast majority of apps are open source, and there is rapid evolution in ecosystems, requirements, and standards. When you factor in the increasing number of testing tools that software engineers are expected to use and the time and effort required to make sense of the resulting alert noise, it quickly becomes clear that no single developer or small group of software developers can keep up with everything that needs to be done. How can they learn what to do in different situations, identify genuine problems from false positives, and set priorities?
The ultimate purpose of shift left remains the same: spotting issues early and correcting them before they slow down the process or enter production. To realize its full potential, however, shift left will require a fresh perspective.
How can this be done?
- Teams in charge of security and compliance can benefit from mapping the language of their policies and procedures onto automation if they make a clear declaration of what they mean by "safe and secure."
- A system that checks the digital estate against the policies and regulatory requirements throughout the whole organization and software delivery lifecycle (SDLC), including production.
- Threat and problem detection in the context of the SDLC, the risk profile of the application, and the impact on the business' important services.
Businesses can make use of a handful of application security tools to take their posture one step closer to a full DevSecOps implementation.