Forget Shift Left. Shift Up Instead.

In this episode, Matt explains how development and security teams need to move away from strategies like shift left, which only focus on one part of the software development process. The alternative, Matt argues, is that teams should instead "shift up" to gain greater visibility of all supply chain risks.

Keep learning
-Related: Why 'shift left' is a dirty term for some
-Report: The Evolution of App Sec
-Report: The State of Supply Chain Security

Episode Transcript

MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is SSCS, or Software Supply Chain Security, equals Shift Up, and everyone's probably thinking shift left, shift everywhere, what does shift up mean? I'm not a big proponent of shift left.

I think shift left is something that is gone the way of the dinosaur. The way software is developed today is a much more fluid and structured way that's at speed and scale. You think about software development lifecycle processes, or an SDLC, being depicted via a line where you have design, develop, code release, and then the example with the DevOps infinity bow tie.

Where something's happening at each specific section of this process, from designing and coding to testing, to releasing, so on and so forth. Shift left meant move to the developers move to the left of the cycle. Shift everywhere means insert something everywhere. But really when you're talking about software supply chain security, you need to shift up.

And what do I mean by that? So let's draw out a rudimentary SDLC or DevOps process. Where you have dev teams, I think we only have dev teams. This is a small organization. With their IDEs writing code, and they're all checking into let's say your source code repository, GitHub, Visual Source Safe.

You also have dependencies, your OSS, open source libraries or repository, your third-party repositories, and then your CI/CD process. And then you have your release process to the cloud container or even a data center. Very simplistic. The problem is most people think about shifting left as going this way, and installing security tools on the left in the developer's native environment.

That works, I think, in a proactive way, but doesn't really work in scale because applications, software is very complicated. All the pieces are brought together at this CI/CD process. So thinking about this way, and I'll use some visuals here to depict that, if you're looking just on the left, and we'll put a little camera icon right here, you're only gonna see things on the left.

If you are looking at your source code repositories, you're only gonna find specific issues in the source code repositories. If you're looking at open source, and we'll do the arrow first this time, and you're looking at there, you take your camera, you're only gonna snapshot or a picture of the open source code or the open source vulnerabilities.

What's happening is all these pieces, the homegrown code that you're developing, or farming out to third parties for development. The open source, the packages, the binaries that you're incorporating from a commercial or a binary repository type aspect are all brought together during the build that is all managed by the CI/CD process, from compiling it, creating that package, and then putting that package where it belongs to be used: cloud data centers, containers, Kubernetes, what have you. Shift up is the concept of taking all this information and moving it up. We'll do a very rudimentary drawing here.

A rocket ship going up, rocket ship's going up, it's going into space. You can see the whole earth. The cameras depict that if you're using any type of AST [Application Security Testing] or security product and looking at one thing, you're only gonna get a snapshot of that thing. So SSCS or Software Supply Chain Security needs to get above all of the components and look at the entire process.

But what does the entire process create? A compilable package. That compilable package is what? Companies deploy as part of a product update. What companies deploy in terms of the usage of their banking app, their e-commerce apps, so on and so forth. And it is the thing that is being compromised by software supply chain security attacks from malware being inserted into the open source code, into the build environment, manipulating signatures. Finding software supply chain issues, and malware specifically in the associated behaviors of malware, you gotta shift up. You can't shift left, you can't shift right, you have to shift up. And that's an effective way to think about software supply chain security.

Shift up, everybody.