Shift Left or Die: Baking Security into the Software Development Lifecycle is More Critical Than Ever


Posted on by Tony Kontzer

Somewhere along the road to DevOps nirvana that so many organizations have been attempting to follow, security got left behind. You see, a big driver of the need for DevOps is the speed with which organizations crank out software. It turns out it's really easy for software development to run off the rails, turning what should be innovation into unnecessary fiascos that can cost millions to fix, or worse yet, cause irreparable damage to a company's reputation.

It's not just software companies that are at risk — pretty much every business has become a software development organization to some extent, and if it hasn't yet, it will soon. And as the pressure to crank out software releases faster and faster has been ratcheted up, so, too, has the adoption of agile development strategies accelerated, and all of this agility has too often rendered security more of an afterthought than it ever should have been.

To compensate, many organizations have been diligent about creating application security protocols that seek to ensure that software is checked for vulnerabilities before it's released to the user population. There's only one problem with this: It's often too late.

It's the recognition of this that's let the worlds of AppSec and DevOps to adopt a philosophy that's summed up by the term "Shift Left." The idea is simple: Embed security sooner in the development pipeline (or further left in the lifecycle), and security will become an integral component of each software development process. Unfortunately, the reality is that it's not easy to do.

In a recent post for Dark Reading, Kevin E. Greene, a principal software assurance engineer at The MITRE Corp., and host of his own podcast, Cybersecurity Insights and Perspectives, shared a thought-provoking statistic from a study conducted by HP Enterprise: 99% of respondents said that DevOps culture offers the opportunity to improve application security processes, but only 20% said they systems development lifecycle testing is done throughout their development processes.

"While DevOps principles and practices acknowledge the need for security, many organizations struggle to find the right fit and speed for integrating security into DevOps," Greene wrote. "Security is still trying to catch up with all the innovative software being developed, tested, deployed, and delivered without slowing or bogging down the process."

To up the ante, Greene argues that it's impossible to shift security too far left. In fact, rather than figuring out how soon an organization can weave security into its development lifecycle, he recommends that they instead consider "codifying (security) intuition" into their DevOps processes. That's a big idea, but anyone who's seen seasoned security pros use their instincts to discover unknown vulnerabilities knows what it means.

Of course, in order to bake security intuition into the software development lifecycle, development and security teams have to be on the same page, and that's something that's been a challenge for many businesses. In a recent piece for IT Pro Portal, Mike Kail, CTO for security vendor CYBRIC, which sells a continuous application security platform designed to ensure that security isn't a barrier to innovation, suggested that this is a bridge CISOs must start building if they haven't already.

"In order to close the chasm that exists between the development and security teams, the organisational lines need to be blurred and security teams need to be an integrated part of the overall pipeline," Kail wrote. "Combined with involving the security team as early as possible, CISOs need to take a deep look at how their organisation is composed and understand the need for a strong group of engineers that both have deep security testing and remediation experience, as well as a thorough understanding of the software development process."

Amid all of this talk of integrating security sooner into the software development process, however, Veracode offers another perspective in a recent blog post, suggesting that security needs to shift both left and right, ensuring that software is secure not just throughout development, but also after it leaves the development team's hands.

"It’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle — from inception to production or, put another way, from prevent to respond," the post read. "Rather than talking about securing the software development lifecycle, we should focus on securing the software lifecycle."

Veracode will offer some tips and strategies for accomplishing this combination of shifting left and right during an upcoming virtual summit on the topic.

Whether your organization ultimately embraces this "Shift Left" philosophy (or a "Shift Left and Right" philosophy), the writing is on the wall: With software development more critical, complex and fast-moving than ever, leaving security on the sideline throughout the process has become a recipe for failure.


Contributors
Tony Kontzer

, RSA Conference

application security DevSecOps

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs