Shift left refers to moving security sooner in the development process. Graphing the process of application development, with time as the X axis, the process begins with recognition of a need that a technology or service will fulfill, whether it’s an application being developed for sale to paying customers or for internal use. As the solution moved through the stages of conception, design, develop, build, and test, security was often a final step, prior to deployment. Security was merely wrapped around the outside of the application prior to release to end users. And this step, necessarily, added time.
Additionally, a tighter integration of security throughout the process leads to better security outcomes, versus tacking it on at the end.
Shift left is the way to remedy these problems.
With the immediate publication of software comes the immediate publication of any risks.
The Six Pillars of DevSecOps: Automation, published by the Cloud Security Alliance (CSA), states, “Security can be achieved only when it has been designed in. Applying security measures as an afterthought is a recipe for disaster.
Security protections must follow the same automated paths. Tight integration of security throughout the duration of the development lifecycle can not only speed up the time to release, but result in improved security.
The traditional process of implementing security after development was completed, but prior to release, resulted in frequent clashes between security and development teams. As development teams completed their portion of the task, they sought to place applications into the end users’ hands, to deliver the outcome of their efforts, begin gathering feedback, and meet deadlines. For security to put the brakes on releases resulted in adversarial relationships between the two.
A survey of more than 165 developers, application security, and DevOps professionals conducted by ShiftLeft finds 89% of respondents said the current disconnect between developers and cybersecurity teams is the biggest inhibitor of productivity.
By shifting security left, teams can cooperate instead, and integrate the processes necessary to prepare apps for release on time, securely.
Shifting left involves making changes in when, where and how to apply security best practices. Security must build trust with developers and DevOps. It’s helpful to understand the DevOps automation culture and the speed with which they deploy code.
As part of shifting left, you should provide developers with the tools to do their job securely without adding work. This includes automating security such as conducting vulnerability scanning at the point of deployment and generating permissions for Lambda functions.
While security must be proactive, it’s challenging to achieve while maintaining that speed. You need to get control, governance, and observability. Security professionals must enable, rather than restrict, the business.
It’s important for developers to understand secure coding methods. This can enable developers, rather than security analysts, to check for and eliminate vulnerabilities early.
As Marco Rottigni, chief technical security officer tells Computer Business Review, “Developers should be empowered with plug-ins that trigger security and compliance controls at every step of the DevOps process, exposing the results right within the tools they commonly use to enable rapid remediation of the vulnerable code.”
While there has been progress shifting left, it’s often not enough. Over 42% of respondents to GitLab’s Mapping the DevSecOps Landscape 2020 Survey said testing happens too late in the lifecycle.
Without security automation, DevOps teams are often hindered by the need to wait for human approval.
As Paul Holland, wrote in Computer Weekly, “CISOs need to realise that developers should be granted time to develop securely and not judge their performance solely by the time to build.”
It’s unreasonable to assign additional duties for application security to developers, while expecting them to maintain a furious pace. While shifting security left results in a more efficient process and can speed time to market, time must still be allocated for tasks those security tasks, such as code reviews.
“Security controls can’t be successfully integrated without automated security capabilities that allow for timely and meaningful feedback. By adopting even modest automated security capabilities entire classes of risk can potentially be eliminated,” said Sean Heide, Research Analyst Cloud Security Alliance.
Automate remediation. Don’t create tickets to solve things that could be resolved in an automated way. Offer developers self-serve to assess security of a stack they’re about to deploy.
Nigel Kersten, Puppet’s field chief technology officer, stressed the importance of deploying automation at scale in DevSecOps practices. “Without [scaled automation], organisations will end up with the same manual processes and the same conflicting incentives. Then, instead of DevSecOps, these businesses are left with just Dev, Sec and Ops.”
Disparate solutions fall short. In particular, app security was not designed to adapt automatically to app changes. The large scale of most cloud infrastructures along with dynamic environments makes security particularly challenging.
Today’s security professionals need to deploy multi-layer security across all cloud environments – with a consistent security approach and policy language across everything you do. Check Point provides an automated security approach that protects at cloud scale and speed. Keep track of your configurations with posture management, high fidelity visibility around assets. Maintain protection according to best practices as well as to your own policies. Continuously monitor and take actions across the entire cloud infrastructure.