Shifting left on security
More widespread than ever and gaining in ingenuity, security attacks are on the rise. For too long, we’ve considered security as something to deal with at the end of the development cycle. Not anymore. Shifting left on security doesn’t only make your product safer; it saves you time and money while you’re at it.
In 2020, more than 22 billion records of confidential information and business data were exposed, according to Tenable’s 2020 Threat Landscape Retrospective Report. With technology accelerating and evolving at tremendous speed, the quantity and sophistication of security threats has picked up as well. Security can no longer be a final step before delivery; we must integrate it throughout the whole software development lifecycle. This shift-left approach to security won’t just make your software safer; it will save you time and money.
Speed of delivery vs. security
We’ve come a long way in terms of speed of delivery. The DevOps movement, for one, brought along a fierce acceleration to the development cycle. Adding to that momentum is the rise of SRE practices and Infrastructure-as-Code. Over the last few years, we’ve been able to continuously improve that time-to-market, but we’ve never really stopped to consider security for a moment. The harsh truth is that it has become more and more critical to prevent security issues, rather than waste time and money fixing them.
In the past, a dedicated security team would take care of the necessary security and compliance checks of your product, just before deploying it to production. Everyone who ever shipped software now probably knows that fixing security issues at the end of the development cycle is a real pain. For those who don’t know, if you involve your security team only at the end of the delivery lifecycle, it is usually painfully expensive and time-wasting to make the necessary changes to improve your product’s security. Yet few have acted on this.
Prevent, don’t fix
The general concept of shifting left is all about introducing tasks to clear classic bottlenecks - like testing or deployment - earlier in the development cycle. DevOps is a successful consequence of the shift-left approach, but it doesn’t encapsulate security. So, from now on, let’s try to think in a DevSecOps mindset: we don’t only want to shift security to an earlier stage in the cycle; we want to integrate it in every step along the way in order to accelerate the cycle.
We don’t only want to shift security to an earlier stage in the cycle; we want to integrate it in every step along the way in order to accelerate the cycle.
The main goal of shifting left on security is preventing failure by performing security checks earlier on. In practice, engineers will catch and solve potential security issues before they can become a real problem. With DevSecOps, teams can continuously take security into account when working on their products. Inevitably, the shift-left approach will result in cost-saving (the sooner you detect, the cheaper the fix), a faster time to market (eliminating security bottlenecks), the mitigation of risks and the creation of a solid security culture in your company.
Automation and security: it’s a match
Apart from the obvious benefits a shift-left approach brings about, there’s more to gain below the surface. When embedding security early on, and at each stage of development and testing, your team will save tons of time. The key to that time-saving lies in automation. It may sound counter-intuitive, but automated security testing does a splendid job on condition that it’s applied early enough in the development lifecycle.
The market offers lots of tools that can help you shift left and implement automation through your pipeline. Static or Dynamic Application Security Testing (SAST/DAST) automatically checks for vulnerabilities in your application. Interactive Application Security Testing (IAST) combines these two and is typically employed as some kind of agent into the runtime environment that observes operations and attacks. Dependency Scanning, on the other hand, scans for flaws in dependencies - a must-have to check your open-source libraries - and Secrets Detection guarantees that you have no compromised secrets such as database credentials or API keys.
In essence, automation means less room for human errors, increased code coverage and no issues in your production environment. If you want to shift left on security without automation, you will not succeed.
Don’t move responsibilities, share them
Shifting left is not about moving responsibilities, it’s about sharing responsibilities. By aligning development, operations and security, we can start talking about a true DevSecOps approach. The cross-pollination between these branches inevitably leads to more awareness and education among the technical teams in your organisation. If certain security processes become embedded in your way of working, developers, for instance, will automatically gain a better understanding of how security protocols work and how they positively impact the outcome.
Does that mean that security teams become obsolete in the long term? Absolutely not. Empowering DevOps to perform security testing doesn’t equal replacing the core security team. To make sure your shift-left process is functioning properly, you still need to perform penetration tests or audit access rights and logs. On top of that, your development team will still need guidelines, best practices and new procedures that are developed and maintained by the core security team.
Downsizing your InfoSec team, failing to collaborate with them or engaging them too late are the most common pitfalls that prevent teams from shifting left on security. If your information security team is understaffed, they are not able to address all risks and oversee all the processes and people that they need to. It leads to situations where they are not able to collaborate with your software teams, something that is vitally important in this era of continuous cyber-attacks.
Assess, learn and implement
Starting with shifting left on security is not always easy and we can’t give you a one-size-fits-all solution. What’s most important is that you define a clear strategy. Decide where you intend to go and try to do this in a one-page strategy that you can share with the company. Your strategy will help every colleague to understand what successful implementation looks like for your organisation.
Include vision, ownership structure and metrics into the document and follow a ‘plan-do-check-act methodology’ to mature your strategy over time. It doesn’t have to be perfect from the beginning as long as you’re willing to stick with it.
Over time, you’ll see that shifting left on security will help your organisation reduce risk, improve security and gain efficiency in resolving potential issues. What’s not to love?