By Douglas Kinloch, VP of Business Development, PACE Anti-Piracy
The expression “shift left” is rapidly becoming mainstream in discussions about IT and Software security, but what does it actually mean? To most, it’s the principle of thinking about security earlier in the planning stage for any system or network, or in the designing and development of software applications.
But is it far enough?
Endpoint security has been the be-all and end-all of network security for many years and yet we still see issues, from Log4J and Supply Chain attacks to Mobile Apps as an attack surface compromising supposedly secure API. The question for vendors and their customers is simple: are the burgeoning billions of endpoints, driven by the IoT revolution, able to be secured, even if we all “Shift Left”?
I mean, if this was possible it would have been achieved by now, and security consultants & red teamers could retire?
“Shift Left” is in danger of becoming a buzzword, much as “End Point” did 20 years ago. In software development, it is clear that the idea of moving security awareness from traditionally the last thing considered before shipping, to something every developer understands, can implement, and can act accordingly has to be a good thing.
Part of the problem we see in the technology space today, from Automotive and Health IoT to Cloud Services and AI/ML, has been the assumption that every component can be trusted to have been developed securely within organizations and their supply chains of dozens of vendors. It’s clear that in the parade of multiple Agile Developers, (DevOps, ITOps, MLOps, DataOps, ModelOps, AIOps, SecOps, DevSecOps and who knows how many other “xxxxxOps”) blind trust has been relied upon as a business process.
“Zero Trust” is another buzzword that may travel hand-in-hand with Shift Left, which makes some sense, but as many are beginning to point out there is no single Zero Trust silver bullet, it’s a process. As a process, it needs to be the default setting of any designer of any system relying on IT networks, connectivity, or software.
The foundational issue, however, goes back to the individual “endpoints” themselves.
This correspondent has been accused of being a professional paranoiac while working in the Mobile Security and Mobile Fintech space, and the accusation is fair. I would suggest that what we need is far more to be similarly lacking in trust and doubtful about all the marketing and other hype.
So how should developers and analysts begin to think about answering the challenge?
- Secure coding so vulnerabilities aren’t created in the first place
- Use programming languages that are not inherently insecure (to run on platforms that can’t be secured)
- Security review & source code scanning of applications before finalization
However, we have to assume every connected 5G IoT device, Medical Device or Smart Phone is accessible to attackers. If they can reach it, they will begin to understand the Applications running on the device and use these as an attack surface for the application itself, or worse (via APIs) the network with which it communicates. This problem is magnified many times in Smart Phones by the simple existence of App Stores – anyone can download apps before they reach the intended devices.
Securing the compiled applications is ever more important.
The bullets above are fairly standard and are (thankfully) now entering the mainstream as awareness grows of Zero Trust and Shift Left, but there is another process that is missing…..
Application Protection, sometimes known as RASP (Runtime Application Software Protection), is a technique that can protect application, and any security-sensitive code, such that the good work done in the three bullets above can’t be undone by attackers using Static and Dynamic Analysis (or decrypt tools) to understand and compromise applications by re-inserting whole new vulnerabilities.
This protection is applied during the development phase, before DevOps or DevSecOps groups need to become involved, or better still with these skills evident in the development team.
The assumption that compiled app code will be accessed, and that attackers have the tools and skills changes the security calculus completely.
Zero Trust means just that and developers protecting their code understand that the actual end-point is not the device, or even the application within that device, but is the source code on the developers’ machine – before it’s even compiled.
So when you decide to Shift Left, as we did, ask yourself, “how far?”
About the Author
Doug Kinloch is VP of Business Development for PACE Anti-Piracy Inc. . Doug Kinloch is VP of Business Development, Europe and Director of PACE AP Europe Ltd, managing the local company and working as part of the overall PACE Business team. A veteran of the Scottish Tech and Start-up scene, he has over a decade of experience working to market innovative Software Security as applied to Financial Services, Digital ID and Content Protection, including managing relationships with the international and local Card Schemes and major banks.