Many CISOs we speak with talk about their focus on a Shift Left approach, a popular term in the DevOps community. Shifting Left means information security is built into the application process from the beginning of the development lifecycle. When processes are performed earlier in the development lifecycle, including security checks and audits, it becomes easier to find flaws and potential issues, and resources are used more efficiently. By doing so, CISOs and their teams are able to mitigate the risk potential security concerns pose to both the delivery schedule and end users.
In order for security teams to enable the DevOps process, strong collaboration is required to transform into what is known as DevSecOps. DevSecOps means security teams working closely with the DevOps teams to address security concerns as early in the development lifecycle as possible.
But what does shift left mean? Shifting left refers to the effort by a DevOps team to implement measures to ensure application quality at an early point in the software
development lifecycle. In the case of application security, this means implementing measures to ensure security concerns are taken into consideration while the application is being developed, rather than at the end of the process.
On page 10 Bradley Schaufenbuel, CISO, Paychex says, “Our goal is to get security involved earlier in the development of new processes, products and strategy. I want to make sure we embed security into that thinking from the very beginning
rather than bolting it on at the end. For example, typically, software developers develop code which is placed into production, then security comes in and tests for any issues. When security does find issues, they may be expensive to fix and take time away from pushing out new code. With shifting left, security is baked in at the beginning, which helps avoid costly adjustments.”
BENEFITS OF SHIFTING LEFT
With an end goal of increasing quality and reducing the amount of time required for testing, Shifting Left solidifies both of these are met. By waiting to evaluate later in the development lifecycle, the cost of fixing any security concerns significantly increases.
Improving Security Protections
Historically, development teams may have been reluctant to implement or engage in a Shift Left approach because they believed involving security too early in the process may delay or complicate a project. However, DevOps has changed in recent years, and Shifting Left has become increasingly practical, and a best practice in the worlds of both DevOps and security.
Implementing Shifting Left
Shifting Left begins with establishing collaboration between the entire security and DevOps teams. Integrating the importance of security into the workforce culture purports responsibly among all individuals within an organization. Ensuring this buy-in is vital for success. For example, developers must be bought into the Shift Left approach when they code with security top of mind.
CISO and security leaders should encourage their teams to engage in regular conversations about application security via the development process. Security must continue to speak with their developer counterparts so Shifting Left becomes embedded in their process.
Testing is also key in ensuring shifting left takes place. Testing automation and continuous integration are vital components and things to be mindful of, especially as developers are becoming comfortable with Shifting Left.