‘Shift Left’ for better digital information security
Cyber incidents are becoming part of everyday news.
In September, a security breach at Australian mobile network operator, Optus, possibly exposed 10 million customer records, equivalent to 40 percent of the Australian population. This was thought to have been caused by a leaky Application Programming Interface (API), similar to the 2016 “Comeleak” breach here at home.
Last year, a ransomware attack on the Colonial Pipeline disrupted delivery of fuel supplies from the gulf coast to most of the eastern seaboard of the United States, affecting over 50 million people. The incident, which was caused by exploited leaked virtual private network (VPN) credentials, was deemed a national security threat, and led US President Joe Biden to declare a state of emergency. It likely led to the quick release of Executive Order No. 14028 on “Improving the Nation’s Cybersecurity.”
These major breaches, which could be the result of a single weakness in software, hardware, APIs, or IT practices, can affect millions of people. Vulnerabilities are lurking in many systems, and malicious actors are working hard to find and exploit them. As more and more critical aspects of our daily lives are driven by information technology, the effects of breaches are becoming a national security concern. Even the best of today’s cybersecurity solutions might not be enough.
Cybersecurity practitioners have long been pushing for “shift left,” a practice where information security is no longer just an add-on after the solution has been built. Information security is factored in from the start, as early as the conceptualization phase of the IT system or service. If we look at the technology life cycle as a pipeline, we move information security to the left of the pipeline, at the front end of the pipe.
Shift left also assumes that information security is everybody’s job. IT systems are secured by design and throughout the process down to retirement. Even user interface choices can affect the information security of a service. For example, a radio button or toggle is more secure than a free-form text field. When each layer applies information security, the whole system is more robust.
It is important to rethink how we write, maintain, and run software systems. There are many basic practices that can be shifted left to gain greater information security dividends, with the same or marginally incremental amount of investment. When shifting left, information security is embedded at the early stage, even before the IT system is in place.
For example, a government entity can require information security testing to be part of the qualification criteria for a new online service. A startup company can apply DevSecOps (development, security, and operations) practices when writing its code by putting information security testing as part of their DevOps pipelines. A regular enterprise can provide information security awareness training to its employees, particularly those involved in planning and procurement.
I encourage you to take a quick look at your current information security practices and see what can be shifted left in your organization. You may be surprised at what can be gained. Nobody is safe until we are all safe.
William Emmanuel Yu, Ph.D.,
professor and researcher
