All software is guilty until proven innocent
COMMENTARY | Agencies must embrace "shifting left," an approach that takes securing software in mind at the beginning of the development lifecycle.
More than ever, government runs on software. Indeed, its reliance on software applications has expanded rapidly in recent years – and it will continue to grow. IT modernization enables agencies to deliver services in ways that are faster, more accurate and more efficient.
Yet digital government has challenges, chiefly in the realm of cybersecurity. Securing government software and software supply chains has emerged as a significant challenge for public-sector agencies. At times, the response to that challenge has yielded mediocre results. Compared to other industries, the public sector has the highest proportion of applications with security flaws (82%), according to Veracode’s State of Software Security: Public Sector report.
Maintaining a secure domain in the fast-changing cyber environment requires strengthening software security, beginning at the earliest stages of the software development lifecycle, an approach known as “shifting left.”
Traditional application development practices rarely emphasized security. Developers treated it as an enhancement, something applied at the end of the development process, an afterthought. Adopting a new mindset and tending to security concerns earlier in the software lifecycle is known as “shifting left.”
Moreover, comprehensive security requires a “zero trust” approach to networks, including code in the software supply chain. Applying zero trust principles to the software supply chain assumes that all software – whether commercial, third-party, or open source – is guilty until proven innocent.
To amplify and promote the benefits of this shift, the National Institute of Standards and Technology issued guidelines earlier this year aimed at helping agencies achieve application-level security. The Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e defines guidelines for federal agency staff with software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals, etc.). These guidelines teach federal workers how to access information from vendors that is needed to assess software producers’ secure software development practices.
Contemporary software development involves piecing together hundreds or thousands of open-source applications. Developers don’t write code so much as they assemble it. Developing secure software requires knowing the provenance of open-source code and testing it for vulnerabilities at every stage of the development process. In its guidance for strengthening software supply chain security, NIST recommends that developers use a common language around security requirements, agree on developers’ processes and procedures, and promote a wider view of how secure software development is performed, among other recommendations.
It is Only the Beginning
NIST’s guidelines are a beginning, not a destination. In some cases, proposed minimum recommendations will be insufficient. Nor do the guidelines replace more stringent requirements already in place for securing software development.
Full implementation of cybersecurity safeguards – from zero trust architecture to secure software supply chains – will take years. In reality, agencies will never vanquish cyber threats that mutate alongside evolving cyber environments. Government agencies can nonetheless take actions today to bolster cyber protections and promote advancement of major security initiatives, such as zero trust.
Training
Software developers in the workforce often lack training in the development of secure applications. For many of them, the formative years of their careers coincided with an era in which software security was an afterthought, if it was considered at all. Even today, computer science programs at many colleges and universities provide little or no training in secure software development. To close the skills gap, agencies should consider developing in-house programs for promoting cybersecurity.
Culture
For years, software developers valued product functionality and short build times over software security. Developers often added security features to software after completion of the build, bolting on a layer of security the way a home builder wraps a sheath of Tyvek on a house after it has been framed. Changing the culture to elevate security is paramount. Agencies will know that they’ve succeeded in “shifting left” when developers raise issues of security at the outset of software development.
Process
The NIST guidelines promote conformity and predictability in the processes and procedures of developing and vetting software. Agencies can use the guidelines as a foundation to broadly revamp the way they secure software throughout its entire lifecycle. Secure software development practices should be integrated throughout software lifecycles to reduce vulnerabilities in released software and to minimize the exploitation of undetected or unaddressed vulnerabilities. Doing so addresses the root causes of vulnerabilities.
“Shifting left” affords developers the opportunity to more thoroughly vet open-source code used in applications and to amend security vulnerabilities at a stage of the process when doing so is relatively easy. Using these and other security measures at the beginning of the software development lifecycle mitigates the risk of vulnerabilities creeping into deployed software.
Testing
Insufficient software testing is the most preventable cause of application layer software security vulnerabilities. It is also rampant. Scanning applications throughout the software lifecycle – from conceptualization to deployment and continuing until decommissioning – eliminates the majority of vulnerabilities that lead to security breaches and catastrophic events, including data loss, ransomware attacks, and destruction of infrastructure. Acquiring and using tools designed to identify vulnerabilities requiring remediation is a proven means of mitigating risk.
Agencies Need Robust Capabilities
A single platform will help developers test software throughout the development lifecycle to include numerous advantages, not least of which is an ability to view comprehensive testing results without having to access multiple dashboards. A robust platform provides tools for doing static application security testing, dynamic application security testing, software composition analysis, manual penetration testing and others.
Act now to nip cybersecurity vulnerabilities in the bud; when it comes to cybersecurity, all software is guilty until proven innocent.
Chris Wysopal is the founder and chief technology officer of Veracode.