The Cybersecurity Fallacy of Shifting Left and Other Problems
September 26, 2023

Rickard Carlsson
Detectify

The benefits of shifting left in development are clear and well-known. Integrating security into the development process early on is a good idea. Ideally, effectively shifting left allows organizations to significantly lower their risk profile, which is a big part of why DevSecOps has become such a buzzword. Nevertheless, shifting left is not a silver bullet for cybersecurity.

The problem is this: the notion of shifting left is dependent on a linear development process, but real-life development is anything but linear. Companies are assembling increasingly complex tech stacks, and more and more stakeholders have the ability to stand up servers or provision apps, often without even alerting the security team. There isn't an organization on the planet that runs every piece of code past their security team, no matter how much they've emphasized "shifting left."

The current world of software relies heavily on recycled code, much of which is lifted from open-source repositories. No matter how tightly you integrate security into your development cycles, if the open-source code you borrowed is vulnerable, so are you. Even if you were to somehow achieve the unrealistic goal of "zero vulnerabilities in production," there's no guarantee that this will actually make your business secure.

Patch Management Doesn't Cover the Bases

Another issue companies face beyond just shifting their security left is the heavy reliance on patch management to find and fix vulnerabilities. While patch management certainly has its uses, there are a few notable shortcomings. Of 344 unique vulnerabilities ransomware operators exploited in 2021, 76% of the flaws were from 2019 or before. Not much has changed. When Equifax was breached in 2017, hackers exploited a vulnerability that had been reported months ago.

Even when done well, patch management is reactive and not completely effective. Somebody has to first find a vulnerability and then create a patch for it. Sometimes ethical hackers follow industry guidelines, but companies sometimes fail to patch the vulnerability quickly enough. It takes bad actors roughly a fortnight to turn a vulnerability into an exploit. If you don't move quicker than that to remediate a known vulnerability, you are leaving the door wide open for an attacker.

Have a Better Plan: Enable Proactive Security

Not everything that ends up in the production environment can be tested in development. Planning to catch vulnerabilities through shifting left or reactive patch management is a plan that will fail. Patch management and shifting left don't mean much if you can't move quickly to address the vulns you do find. You won't catch everything, and you won't patch what you do catch quickly enough.

Our increasing reliance on recycled code and the lack of visibility into unused or forgotten assets leave companies with more blind spots than ever. In the face of this ever-evolving digital landscape, companies cannot assume that their expanding external attack surface is protected just because they've introduced security into the development process — in fact, they should assume the opposite. It's not enough to shift left and supplement with patch management. Instead, companies should look to the right and consider how to continuously manage their expanding external attack surface in real-time.

Organizations need to transition from reactively chasing down vulns to holistically managing risk across their entire attack surface. Continuously testing the entire external attack surface, identifying forgotten assets and testing in a way that mimics how an attacker might exploit them is the only scalable form of defense. While it would be nice to catch all the vulnerabilities in development, that's unrealistic. Healthy cybersecurity begins with being proactive, thinking about what's next, and having a reliable plan in place.

Rickard Carlsson is CEO of Detectify
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023

Solo.io achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.