An October report by a federal cybersecurity advisory group might upend everything the industry thinks it knows about the secure-by-design concept and DevSecOps.
The report to the director of the Cybersecurity and Infrastructure Security Agency (CISA) was delivered Oct. 11 by a subcommittee researching secure-by-design principles. Secure by design refers to ways companies can prioritize security as a core business requirement and eliminate as many vulnerabilities as possible in the software design phase. The adjacent term shift left has been used by DevSecOps proponents to refer to pushing security tasks and responsibilities into the development stages of software delivery. CISA worked with more than 17 domestic and international partners to create secure-by-design guidance, and some 200 software manufacturers have pledged to make measurable progress toward implementing secure-by-design principles.
However, last month's CISA report reached two unexpected conclusions: First, there isn't a sound data basis for an often-cited idea that vulnerabilities are 100 times more expensive to fix in production than at the beginning of the software lifecycle; and second, there's no evidence that consumers abandon products due to security quality issues.
"Primarily, the subcommittee discovered that there is often no empirical evidence to substantiate some of its long-held security beliefs," the report concluded.
I think a lot of people still strongly, emotionally believe that cybersecurity should be everyone's top priority. [That] it should be the business's top priority -- and it's not even close.
Adrian SanabriaPrincipal researcher, The Defenders Initiative
For veteran cybersecurity expert Adrian Sanabria, principal researcher at The Defenders Initiative, the report's conclusions validated some of his skepticism about secure-by-design approaches.
"Something I think we've had to come to reckon with in cybersecurity is that it is not the most important thing," Sanabria told TechTarget Editorial's Beth Pariseau in an episode of IT Ops Query Season 2: The State of SecOps.
"I think a lot of people still strongly, emotionally believe that cybersecurity should be everyone's top priority," said Sanabria, who also hosts the Enterprise Security Weekly podcast. "[That] it should be the business's top priority -- and it's not even close."
So if cybersecurity doesn't save money by shifting left and doesn't cost money in lost business after a breach, what incentives do businesses have to improve security practices?
"A lot less than we thought they did," Sanabria said. But regulations to protect consumer privacy such as Europe's GDPR and the U.S. government's rules holding business executives personally accountable for violations of data privacy regulations and cybersecurity compliance requirements still provide some motivation, he said.
While shift left might not be as broadly applicable as once thought, developers, site reliability engineers and security pros must collaborate closely and share expertise, he said.
Adrian Sanabria
Sanabria expects that the emergence of cloud-native technologies such as container orchestration will organically improve cybersecurity by making IT infrastructure resources impermanent and immutable.
"If my infrastructure is ephemeral and I detect an attack, then I can just destroy and replace it rather than trying to fix every single vulnerability that I might have in my environment," he said.
Instead of slowing the software delivery process by expecting developers to become secure-by-design experts, organizations should rethink their approach to penetration testing and incident response exercises, and take steps to improve their visibility into production infrastructure to detect and mitigate cybersecurity attacks as they occur, Sanabria said.
"A lot of companies do one incident response test a year. They don't do any real attack simulation," he said. "When ... they have their annual pen tests, they don't use that as an opportunity to see if they can spot that stuff, maybe stop the pen tester. So there's a lot of opportunities here that I think we've traditionally been passing up."
Enterprises will also probably be forced to rethink how they delegate cybersecurity responsibilities in executive management roles soon, Sanabria said.
"The CISO [chief information security officer] role in security is very shaky and up in the air," he said. "A lot of people don't want to be a CISO anymore, particularly not at a public company where there's a lot of personal liability, and where their responsibilities are so broad. ... Already we see companies breaking off chief risk officer, chief privacy officer, maybe there's an AI officer. ... Technology changing is forcing changes in these other places."
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Adrian Sanabria
