“Shifting left” is the concept of taking a security task that traditionally occurs in the later stages of the software development process and performing it earlier. This concept is particularly timely given the fact sheet released by the Biden Administration which warns against the likely rise of potential cyberattacks. It recommends building application security into products from the ground up and using modern tools to consistently monitor for potential vulnerabilities.
To that end, Claire recommends that CIOs and CTOs look toward the adoption of agile workforces and development processes, converging steps into smaller bites that can be quickly folded into applications under development. Consider the critical task of changing the dynamic analysis of vulnerabilities (aka security testing).
“The threat has shifted. We can’t rely on just a penetration test before a product goes into production and then once a year after that,” Claire says. “Domestic and foreign entities are constantly looking for vulnerabilities, and a scan is only as good as the date and time you completed it – no more.”
From Claire’s perspective, the evolution of IT security can be summed up as “trust but verify.” When creating the foundations for information exchange and connectivity, for example, access must be granted based upon identity. That’s trust.
When Claire took her position with the State of Arkansas, its networks needed to account for the “transport layer” of how the state office operated with its more rural counterparts, such as DMVs. The challenge was to ensure that those two points were communicating effectively and securely.
The mechanisms for securing networks and data were initially developed in a structured, point-to-point framework with dedicated network rooms and telephone lines – configurations that supported easily secured paths of communication.
Now consider how the rise of cellphones changed everything; questions arose:
- How do we create a dedicated secure network?
- How do we do this with wireless, multi-use connectivity lines and shared infrastructure?
- How do we ensure this newly expanded perimeter is secure and that we’ll know when breaches occur?
These questions ultimately formed the foundation for network security.
“Because of the increasingly sophisticated spoofing and phishing attempts, we can’t take a linear approach anymore,” Claire says. “This puts an entity at extreme risk. We must shift the way we think about our cybersecurity programs and implement the right checks and balances.”
In the early 2000s, Claire recalls, “The State of Arkansas was wide open. There was no security. I was tasked with leading the project team to put the infrastructure in place. We had only six weeks, but we did it by identifying infrastructure at risk and implementing a secure architecture.”
The team succeeded by overcoming technical challenges and naysayers, including some team members who made bets on how long the firewall she installed would remain up. Skeptics thought the firewall would slow down the network and make its removal necessary. However, that security infrastructure remains in place today.
“The journey of security has evolved,” Claire says. “In today’s world, it isn’t just about identifying the infrastructure at risk, it is about identifying all of your vulnerabilities. Your software and application’s development environment are, and should, always be at the top of every CIO, CTO, and CISO’s list. Shifting left to address software security while code is written is how we keep up.”
Stay tuned for part four of the blog series to learn Claire’s CIO-specific advice on the future of software security.
Don’t forget to check out part one and part two if you haven’t done so already!