The responsibility for securing commercial technologies has traditionally fallen on the shoulders of end users, but there must be a shift away from end users being responsible for securing technologies they often do not understand. This current approach is where software companies require trust from consumers (regarding their data privacy, security policies, etc.) without being held to a higher standard to manage that trust appropriately on behalf of the markets they serve. This is a hard problem to solve primarily because increasing the security of apps and the operations that support them increases time to market and costs which decrease profits, possibly impacting the stock prices that fund both company and consumer investments, 401k’s, etc.
This shift does not need to be drastic but has to be sped up. The software developer must take ownership of their product and supply chain security, to the point of redesigning it so users have flexibility, but don’t have the option to make choices that are likely to cause exposures.
Adopting a long-term perspective is important. The creation and enforcement of improved software development practices, the integration of Generative AI (GenAI) into the development process, and the implementation of software composition analysis (SCA) and static analysis (SAST) checks before deployment to production should be expected from those entrusted with safeguarding our data, finances, and the intersection of these with our personal lives. Moreover, the development of engineered platforms capable of managing the complexities involved in these processes is an essential responsibility.
These measures could have a significant amplification effect over the next 3, 5, and 10 years. Imagine a world where there are deployment platforms that incorporate and orchestrate all the best practices like GenAI enhanced developer environments, orchestrated infrastructure configuration and deployment management, policy enforcement, and simplified and automated DevSecOps processes that include SCA and SAST checks on code. In this world, these platforms provide a reasonable level of security for the applications and data held by software product vendors and offer a provable level of risk management for consumers, companies, and cyber insurance carriers that can take a shared approach to solve this problem. This approach fosters the philosophy that we’re all in it together and “all boats are lifted with the tide.”
We can get there by working backward from the long-term vision and identifying near-term goals that are critical milestones to achieving that vision.
In the short term, it’s important to acknowledge that “shift left” marketing has created a perception that the industry is making significant strides toward improved security, but this might not reflect reality. In practice, within software development companies, shift left often transfers the responsibility for security to application developers. Unfortunately, these developers lack sufficient training in cybersecurity and are most often more influenced by business revenue cycles than by the security implications of their code.
Jack Cable, Senior Technical Advisor at CISA, addresses a key point in this discussion in his excellent article “We Must Consider Software Developers a Key Part of the Cybersecurity Workforce.“
He points out that at the university level, cybersecurity is viewed as a subdiscipline, much like graphics or human-computer interaction, rather than as essential knowledge for every aspiring software developer as they enter the workforce. Universities have a difficult challenge in maintaining a balance between teaching the past and preparing young minds for future conditions. As societal and technological landscapes evolve, universities must adapt their curricula to stay relevant and address the changing needs of both education and society.
Cybercrime has been an issue for a long time. As our society has shifted to the mobile app and SaaS-driven dynamic workforce where nearly everything is online and handled through software, the opportunities for getting away with remote exploits have increased. Debates about software liability and the concept of safe harbors, which protect software companies that adhere to best practices in design and security, are the results of this shift.
There is wisdom in the quote to whom much is entrusted, even more will be required.
Like everything else in the tech space, this conversation boils down to different aspects of business transformation to address the future challenges of delivering value at an acceptable price where consumer trust in your products can be maintained.
As we work through these issues, we should encourage educators to create a curriculum that requires deeper explorations of risks in coding practices, demanding best practices as a requirement for all graduates and encouraging the perception that the developer is part of a larger system that requires a level of trust to operate effectively.
These are high-level ideas of how we can drive toward a shared responsibility, where educators, industries, product companies, and users all do their parts, and all receive the benefits. The journey toward shared responsibility is multifaceted, involving educators, industries, product companies, and users alike. By fostering a culture of deeper understanding of risks, adherence to best practices, and a sense of collective responsibility, we can build a safer future. The success of cybersecurity is not just in technology but in the collaborative efforts we make to empower each other to meet the evolving demands of our technological ecosystems and ensure that all stakeholders play their part in securing our shared digital landscape.
NXT1 LaunchIT is the developer’s platform to build and operate secure SaaS, enabling instant availability by automating cloud infrastructure management – simply code and deploy. With government-level security, comprehensive operational controls, and integrated ecommerce, LaunchIT accelerates time to revenue and reduces costs for technology startups, legacy application migrations, and more. Get started with a free trial at nxt1.cloud/go.