‘Shift Left’ for better digital information security | Inquirer Opinion

‘Shift Left’ for better digital information security

/ 05:01 AM December 15, 2022

Cyber incidents are becoming part of everyday news.

In September, a security breach at Australian mobile network operator, Optus, possibly exposed 10 million customer records, equivalent to 40 percent of the Australian population. This was thought to have been caused by a leaky Application Programming Interface (API), similar to the 2016 “Comeleak” breach here at home.

Last year, a ransomware attack on the Colonial Pipeline disrupted delivery of fuel supplies from the gulf coast to most of the eastern seaboard of the United States, affecting over 50 million people. The incident, which was caused by exploited leaked virtual private network (VPN) credentials, was deemed a national security threat, and led US President Joe Biden to declare a state of emergency. It likely led to the quick release of Executive Order No. 14028 on “Improving the Nation’s Cybersecurity.”

Article continues after this advertisement

These major breaches, which could be the result of a single weakness in software, hardware, APIs, or IT practices, can affect millions of people. Vulnerabilities are lurking in many systems, and malicious actors are working hard to find and exploit them. As more and more critical aspects of our daily lives are driven by information technology, the effects of breaches are becoming a national security concern. Even the best of today’s cybersecurity solutions might not be enough.

FEATURED STORIES

Cybersecurity practitioners have long been pushing for “shift left,” a practice where information security is no longer just an add-on after the solution has been built. Information security is factored in from the start, as early as the conceptualization phase of the IT system or service. If we look at the technology life cycle as a pipeline, we move information security to the left of the pipeline, at the front end of the pipe.

Shift left also assumes that information security is everybody’s job. IT systems are secured by design and throughout the process down to retirement. Even user interface choices can affect the information security of a service. For example, a radio button or toggle is more secure than a free-form text field. When each layer applies information security, the whole system is more robust.

Article continues after this advertisement

It is important to rethink how we write, maintain, and run software systems. There are many basic practices that can be shifted left to gain greater information security dividends, with the same or marginally incremental amount of investment. When shifting left, information security is embedded at the early stage, even before the IT system is in place.

Article continues after this advertisement

For example, a government entity can require information security testing to be part of the qualification criteria for a new online service. A startup company can apply DevSecOps (development, security, and operations) practices when writing its code by putting information security testing as part of their DevOps pipelines. A regular enterprise can provide information security awareness training to its employees, particularly those involved in planning and procurement.

Article continues after this advertisement

I encourage you to take a quick look at your current information security practices and see what can be shifted left in your organization. You may be surprised at what can be gained. Nobody is safe until we are all safe.

William Emmanuel Yu, Ph.D.,

Article continues after this advertisement

professor and researcher

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

TAGS: digital information technologies

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.