All software is guilty until proven innocent

Maskot/Getty Images

By Chris Wysopal,
Founder and CTO, Veracode

By Chris Wysopal

|

COMMENTARY | Agencies must embrace "shifting left," an approach that takes securing software in mind at the beginning of the development lifecycle.

More than ever, government runs on software. Indeed, its reliance on software applications has expanded rapidly in recent years – and it will continue to grow. IT modernization enables agencies to deliver services in ways that are faster, more accurate and more efficient.

Yet digital government has challenges, chiefly in the realm of cybersecurity. Securing government software and software supply chains has emerged as a significant challenge for public-sector agencies. At times, the response to that challenge has yielded mediocre results. Compared to other industries, the public sector has the highest proportion of applications with security flaws (82%), according to Veracode’s State of Software Security: Public Sector report.

Maintaining a secure domain in the fast-changing cyber environment requires strengthening software security, beginning at the earliest stages of the software development lifecycle, an approach known as “shifting left.”

Traditional application development practices rarely emphasized security. Developers treated it as an enhancement, something applied at the end of the development process, an afterthought. Adopting a new mindset and tending to security concerns earlier in the software lifecycle is known as “shifting left.”

Moreover, comprehensive security requires a “zero trust” approach to networks, including code in the software supply chain. Applying zero trust principles to the software supply chain assumes that all software – whether commercial, third-party, or open source – is guilty until proven innocent.

To amplify and promote the benefits of this shift, the National Institute of Standards and Technology issued guidelines earlier this year aimed at helping agencies achieve application-level security. The Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e defines guidelines for federal agency staff with software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals, etc.). These guidelines teach federal workers how to access information from vendors that is needed to assess software producers’ secure software development practices.

Contemporary software development involves piecing together hundreds or thousands of open-source applications. Developers don’t write code so much as they assemble it. Developing secure software requires knowing the provenance of open-source code and testing it for vulnerabilities at every stage of the development process. In its guidance for strengthening software supply chain security, NIST recommends that developers use a common language around security requirements, agree on developers’ processes and procedures, and promote a wider view of how secure software development is performed, among other recommendations.

It is Only the Beginning

NIST’s guidelines are a beginning, not a destination. In some cases, proposed minimum recommendations will be insufficient. Nor do the guidelines replace more stringent requirements already in place for securing software development.

Full implementation of cybersecurity safeguards – from zero trust architecture to secure software supply chains – will take years. In reality, agencies will never vanquish cyber threats that mutate alongside evolving cyber environments. Government agencies can nonetheless take actions today to bolster cyber protections and promote advancement of major security initiatives, such as zero trust.

Training

Software developers in the workforce often lack training in the development of secure applications. For many of them, the formative years of their careers coincided with an era in which software security was an afterthought, if it was considered at all. Even today, computer science programs at many colleges and universities provide little or no training in secure software development. To close the skills gap, agencies should consider developing in-house programs for promoting cybersecurity.  

Culture

For years, software developers valued product functionality and short build times over software security. Developers often added security features to software after completion of the build, bolting on a layer of security the way a home builder wraps a sheath of Tyvek on a house after it has been framed. Changing the culture to elevate security is paramount. Agencies will know that they’ve succeeded in “shifting left” when developers raise issues of security at the outset of software development.

Process

The NIST guidelines promote conformity and predictability in the processes and procedures of developing and vetting software. Agencies can use the guidelines as a foundation to broadly revamp the way they secure software throughout its entire lifecycle. Secure software development practices should be integrated throughout software lifecycles to reduce vulnerabilities in released software and to minimize the exploitation of undetected or unaddressed vulnerabilities. Doing so addresses the root causes of vulnerabilities.

“Shifting left” affords developers the opportunity to more thoroughly vet open-source code used in applications and to amend security vulnerabilities at a stage of the process when doing so is relatively easy. Using these and other security measures at the beginning of the software development lifecycle mitigates the risk of vulnerabilities creeping into deployed software.

Testing

Insufficient software testing is the most preventable cause of application layer software security vulnerabilities. It is also rampant. Scanning applications throughout the software lifecycle – from conceptualization to deployment and continuing until decommissioning – eliminates the majority of vulnerabilities that lead to security breaches and catastrophic events, including data loss, ransomware attacks, and destruction of infrastructure. Acquiring and using tools designed to identify vulnerabilities requiring remediation is a proven means of mitigating risk.

Agencies Need Robust Capabilities

A single platform will help developers test software throughout the development lifecycle to include numerous advantages, not least of which is an ability to view comprehensive testing results without having to access multiple dashboards. A robust platform provides tools for doing static application security testing, dynamic application security testing, software composition analysis, manual penetration testing and others.

Act now to nip cybersecurity vulnerabilities in the bud; when it comes to cybersecurity, all software is guilty until proven innocent.

Chris Wysopal is the founder and chief technology officer of Veracode.

NEXT STORY: OMB's mixed messages on mobility are putting federal agencies at risk

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.