The U.S. government spends $100 billion a year on IT, most of which is dedicated to operating and maintaining existing systems and security.
Despite the generous budget, the federal government consistently falls victim to significant breaches — especially in the software supply chain. Earlier this year, Cl0p ransomware group exploited three critical vulnerabilities in Progress’ MOVEit Transfer and MOVEit Cloud Platforms, leading to 17.5 million individuals and over 200 organizations experiencing a data breach. Several U.S. agencies were impacted, including the Department of Energy, Department of Agriculture, and Department of Health and Human Services.
The government plays a critical role in paving the way for security standards, so when it experiences a cybersecurity incident, it can lead to small-to-medium businesses questioning how they can ever keep themselves safe. And, unfortunately, the public sector is the number 1 target for most threat groups.
To combat today’s sophisticated threat landscape and prevent future software supply chain attacks like Moveit, the federal government does not necessarily need to allocate more spending. Instead, I want to challenge federal software developers and cybersecurity professionals to shift their mindset left of the popular shift-left mentality.
The Open-Source Elephant in the Room
For a long time, developers and security teams came to the agreement that “shifting left” was the best way to prevent software supply chain compromises. Shifting left meant security evaluations were conducted earlier in the development process — often before any code is actually written.
The problem is that developers are not writing as much of their own code anymore. Software now consists of up to 90 percent of open-source and third-party components. As a result, many developers cannot answer the question, “what’s in your software?” Security teams are then left in the dark, unknowingly dealing with potentially faulty software that doesn’t come to light until a breach occurs.
The open-source elephant in the room requires a paradigm shift in approaching security in the development process to combat today’s software supply chain attacks, called “shifting left of shift left.”
How to Effectively Shift Left of Shift Left
While shift left primarily focuses on early testing and quality assurance, shifting left of shift left extends this concept further by incorporating enhanced collaboration, automation, and continuous improvement throughout the entire software development lifecycle.
The need for a more nuanced approach to software security is needed, one that goes beyond addressing surface-level vulnerabilities. By embracing proactive measures and truly understanding what’s in your software, we can fortify the foundation of the software that powers our digital world.
Here’s how federal agencies can effectively shift left to shift left:
Understanding Risks Beyond Vulnerabilities – Ensuring that developers and security professionals understand the risks that lay hidden within the software is the first step and recognizing that vulnerabilities are only one dimension of risks. Inherent risks deep in the software supply chain can have serious consequences. Having the tools to identify inherent risks is critical.
Select Foundational Tools – Shifting left of shift left begins with choosing the right foundational tools to assess open-source software components. Approximately 95% of open-source vulnerabilities are found in open-source code packages that are not selected by software developers and are indirectly pulled into projects. Having the right tools in place to assess open-source components can identify these issues before threat actors.
Prioritize Security in Development Tools – Prioritizing security begins with development tools. I would encourage developers to opt for secure programming languages, frameworks, and libraries to ensure that security is integrated from the ground up.
Implement Real-Time Solutions – To shift left of shift left, developers need more than just a testing mechanism; they need a real-time security solution consistently assessing code. This solution should provide continuous protection from when code is written, checked in, and throughout the entire development process.
Developer Training – Developers play a very important role in the shift left of shift left process. Understanding pain points, signs of issues, and implications of their decisions on the overall security posture can help alleviate tensions with security team members and create secure code from the start.
Continuous Security Assessments – Security doesn’t end when the software goes live. Following development, organizations should have tools in place to conduct ongoing evaluations of code. This helps in the timely identification and remediation of vulnerabilities and enhances the overall security of the software.
Government agencies need to work smarter, not harder, when it comes to preventing software supply chain attacks. Without the right mindset, all of the resources in the world will not prevent adversaries from gaining the upper hand. By shifting left of the shift left mentality, developers and security teams will be in a much better position to identify and remediate vulnerabilities in software components throughout the entire software development lifecycle.
The author, Nick Mistry, is SVP and CISO at Lineaje