“Shift-left” is a familiar concept to CISOs and security practitioners across the globe. A term coined to promote the integration of security practices earlier in the software development lifecycle (SDLC) in a bid to dwindle escalating application security risks. Boasting the ability to deliver more efficient and secure software, scale responsibilities and empower developers to fix security bugs, it’s no surprise that the concept has garnered significant industry attention in recent years. However, despite its proliferated awareness, security teams continue to face challenges with shift-left buy in and its implementation.
There are several obstacles to shifting security left. The first, and perhaps most prevalent, is a lack of understanding within organizations about their current locality on the shift-left journey. This challenge is closely coupled with insufficient resources available to actually shift-left, both monetary and personnel. Identifying and understanding the stages of shift-left adoption is key to its successful implementation, and being able to depict the resource allocations required at each stage. Yet, it remains an untapped phenomenon amongst industry peers, creating obstacles and roadblocks throughout the shift-left journey.
The shift-left journey comprises four fundamental stages: box-checking basics, shift-left curious, shift-left committed, and continuously secure. A core component of this process is the seamless integration of people, processes, and tools. Building and nurturing a culture that integrates security, instituting robust processes, and leveraging the right tools, organizations will possess the means to proceed through every stage, bolstering security posture throughout their entire software development lifecycle.
Bye Bye Basics
Many organizations’ shift-left journey begins with basic box checking activities. Organizations are fixated on reactively adhering to compliance regulations, in lieu of proactively enhancing their security posture. At the ‘box checking basics’ stage, application security teams’ efforts are often solely focused on testing applications in production, creating tickets, and leaving developers to independently resolve issues as they prove to audit teams that they have a process. There is zero collaboration between those developing applications and the security team at this stage, resulting in the belated discovery of security flaws, inflated mitigation costs, and setbacks in timelines for product releases. However, shift-left success hinges on deep collaboration between security teams and developers.
With expediting release cycles, and heightened security risks, simple box-checking basics initiatives are insufficient to protect organizations from modern bad actors. With an urgent need for change, organizations can start their shift-left journey by starting with small, controlled implementations of shift-left practices, specifically initiatives that demonstrate its value to ease the transition and avoid resistance. Successful pilot programs can serve as proof of concept, encouraging broader adoption and fostering a more integrated approach to security.
Shift-Left Curious
As an enterprise makes the shift from box checking basics and evolves into a shift-left curious phase, where there is inherently more desire to reform security practices, oftentimes organizations will have a dedicated security champion who can drive these efforts. However, without a comprehensive strategy, and key initiatives driving shift-left adoption, such leaders and their organization will ultimately encounter roadblocks and lack of buy-in. While many dive head first, and try to scale shift-left practices rapidly, starting small is the key to success, along with forging deep collaboration between AppSec and engineering teams.
Organizations should strive to cultivate a culture that encourages the sharing of knowledge between these two important teams, aligning security objectives and value delivery. This practice will lead to a clearer understanding of security risks and where they persist and the steps required for successful mitigation. This phase is a great place to go and sit with delivery teams and listen to how they work and the tools and processes they use to understand an effective adoption of shift-left methodologies.
shift-left Committed
Once organizations have fostered a culture of collaboration, and determined the required tools and processes for shift-left success, organizations will start to affirm their commitment to the practice. This phase will see organizations beginning to integrate security processes throughout all stages of development workflows. There are some challenges that can manifest throughout this process. Oftentimes, organizations will encounter issues with technical tooling, especially when trying to scale testing processes.
Similar to the shift-left curious stage, it is essential to maintain a deep collaborative relationship between security teams and developers in this phase to nurture a security-conscious culture and embed automated security checks within CI/CD pipelines. This will ensure uninterrupted security throughout the development process. It is also important to regularly evaluate shift-left tools and processes to ensure that they meet industry compliance requirements and can withstand evolving security risks.
Consistent Security
The ideal outcome of shift-left is to attain a state of “continuously secure,” whereby AppSec and development teams jointly take responsibility for the security of applications and fully commit to a shift-left mindset. A deep cultural shift that empowers teams to proactively identify and address potential vulnerabilities early on, minimizing the attack surface and reducing the risk of costly breaches. At this stage, organizations have, in most instances, tried and tested various security tooling and have adopted a suite of solutions that fit their unique needs and that automate tasks to streamline many processes. This forward-thinking strategy not only strengthens an organization’s overall security posture, but also builds trust with users by showcasing a dedication to protecting their information and privacy.
Walk Before You Run
Depending on the nature of an organization’s business operations, as well as their size and industry, shift-left adoption techniques and processes will ultimately vary. Unfortunately, there is no one cohesive formula to its success. However, understanding each stage of the journey and the people, processes and tooling required at every phase will enable organizations to craft a strategy that will improve their security posture and create more secure applications. shift-left is a continuous journey, one that takes some trial and effort. By deeply integrating security processes across the entire development lifecycle, organizations can forge a more secure path forward.
About the Author
Scott Gerlach, CSO at , has more than 20 years of experience in information security. Scott is a passionate Security Officer with expertise in identifying security gaps and working with companies to develop safe and effective policies and procedures to mitigate those risks. His expertise spans developing, implementing, and managing IT security strategy and policy, risk management, intrusion detection, vulnerability assessment, network security design, application security and incident response. Prior to founding StackHawk, he was CSO at Twilio. He also spent nearly a decade in security at GoDaddy.
LinkedIn: Scott Gerlach and company website: https://www.stackhawk.com/
