Are We Shifting Left Enough


              By Douglas Kinloch, VP of Business Development, PACE Anti-Piracy




            The expression “shift left” is rapidly becoming mainstream in discussions about IT and Software security,
            but what does it actually mean? To most, it’s the principle of thinking about security earlier in the planning
            stage for any system or network, or in the designing and development of software applications.

            But is it far enough?

            Endpoint security has been the be-all and end-all of network security for many years and yet we still see
            issues,  from  Log4J  and  Supply  Chain  attacks  to  Mobile  Apps  as  an  attack  surface  compromising
            supposedly secure API. The question for vendors and their customers is simple: are the burgeoning
            billions of endpoints, driven by the IoT revolution, able to be secured, even if we all “Shift Left”?

            I mean, if this was possible it would have been achieved by now, and security consultants & red teamers
            could retire?

            “Shift Left” is in danger of becoming a buzzword, much as “End Point” did 20 years ago. In software
            development,  it  is  clear  that  the  idea  of  moving  security  awareness  from  traditionally  the  last  thing
            considered before shipping, to something every developer understands, can implement, and can act
            accordingly has to be a good thing.

            Part of the problem we see in the technology space today, from Automotive and Health IoT to Cloud
            Services  and  AI/ML,  has  been  the  assumption  that  every  component  can  be  trusted  to  have  been
            developed securely within organizations and their supply chains of dozens of vendors. It’s clear that in
            the parade of multiple Agile Developers, (DevOps, ITOps, MLOps, DataOps, ModelOps, AIOps, SecOps,
            DevSecOps and who knows how many other “xxxxxOps”) blind trust has been relied upon as a business
            process.


            “Zero Trust” is another buzzword that may travel hand-in-hand with Shift Left, which makes some sense,
            but as many are beginning to point out there is no single Zero Trust silver bullet, it’s a process. As a
            process,  it  needs  to  be  the  default  setting  of  any  designer  of  any  system  relying  on  IT  networks,
            connectivity, or software.

            The foundational issue, however, goes back to the individual “endpoints” themselves.

            This correspondent has been accused of being a professional paranoiac while working in the Mobile
            Security and Mobile Fintech space, and the accusation is fair. I would suggest that what we need is far
            more to be similarly lacking in trust and doubtful about all the marketing and other hype.

            So how should developers and analysts begin to think about answering the challenge?







                                                                                                            118