Recent high-profile supply chain attacks have heightened the need for increased regulation of the open-source community. In the U.S., for example, President Biden’s recent executive order asks government vendors to attest “to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.” The president’s recent order, and the potential actions of legislators to follow, could lead to burdensome regulations that interfere with shift left practices, and ultimately slow down the pace of software development.
The challenge with the directive is that nearly 60 percent of software developers have little to no secure coding training. Developers are traditionally focused on pushing out innovative, stable products, not triaging security alerts. They want to use open-source code without thinking about its possible security risks. Developers rely on open-source components because these are ready-made pieces of code that allow them to keep up with competitive release time frames. They often leave it to their security teams to identify mistakes at the end of the development process.
Developers vs security teams
Developers’ reliance on open-source components often presents a challenge to the cautious attitude of security teams. According to a recent study, only 31 percent of organizations report having agreed upon prioritization processes between developers and security professionals about vulnerability remediation. Many software companies even have separate guidelines for development and security teams. Due to the disconnect between the teams, security professionals often purchase application security tools that disregard developers’ needs and processes.
Both developers and security professionals admit that they frequently feel pressure to “check the box” on security measures in the interest of meeting deadlines. This means that security is often sacrificed to speed up development and this opens the door for hackers to exploit vulnerabilities in open source code.
Shifting left can help bridge the gap
The shift left approach helps to bridge the gap between developers and security professionals; it moves security testing and vulnerability management into the earliest stages of development.
In a shift left model, all testing, feedback, and revisions are performed continuously throughout the development process. This enables organizations to identify security risks in their applications early, before they become more complicated, time-consuming, and expensive to fix.
Will regulation put a wrench in shift left practices?
The shift left model, supported by an application security program, is not yet fully matured in many organizations. New regulations on open source use could create an even bigger challenge, introducing too many rules and liabilities for detecting vulnerabilities – as opposed to fixing them. Extensive regulation could add too much noise to the process of vulnerability management, ultimately slowing down the remediation process.
While application security tools help development and security teams address security and open source license compliance early in development, most won’t be up to the challenge of additional regulation, which will require detailed legal analysis.
Imagine if developers and security professionals had to regularly pause development to have their legal departments determine if all the open-source components used in their projects are compliant with regulatory requirements. This type of practice would undermine any shift left processes already in place.
Many software companies will likely end up leaving more of their regulation reviews to the end of their development cycles. If the legal department finds issues, developers and security teams could spend hours dealing with compliance issues, instead of creating and pushing out products.
Can new regulation be shifted left?
To ensure shift left practices are implemented effectively, developers need the support of security tools and processes that allow them to create without having to slow down for security compliance.
Adding compliance with regulation to the shift left process will only cause tedious review processes for both security and development teams, and slow down release cycles. President Biden and legislators must be cautious about the regulations they put on developers and the open source community, to make sure that they don’t backfire and end up slowing down innovation.