Shift-Left Security: An Overview
The software development industry is one of the fastest-growing business sectors. Spending on enterprise software has increased by more than10% per year, largely driven by the massive amounts of data being processed and the trend toward automation.
In the high-pressure environment of rapid software development, the cost of inadequate or late testing can be high. According to research by the Consortium for Information and Software Quality (CISQ), subpar software cost organizations $2.08 trillion in 2020. This illustrates the need for shift-left security.
What is shift-left security? What are its benefits and how can it be implemented?
What is Shift-Left Security?
Shifting left means conducting security testing sooner. Think of software development as a linear process. In traditional DevOps, the various stages would flow like this: Plan > Code > Build > Test > Deploy > Monitor.
As you can see, testing tends to occur after the software is built. At this stage, testing may include integration testing, performance testing, and security testing. The downside is that any issues, particularly with security testing, may slow down or even halt development.
So to shift left on security means to include security in the planning and creation stage. Since there is no product to test during those stages, security modeling helps to anticipate security needs and reduce issues later in development.
While DevOps has long sought to streamline collaboration between development teams and IT operations, DevSecOps indicates a shift left, eliminating any remaining friction between development, information security, and operations.
What is Shifting Right in DevOps?
So if shifting left moves security testing to the planning and design stage, what is shifting right? No software is 100% bug-free when ready for release, so further testing needs to be done in real-world conditions. Shift-right testing and evaluation done during the production stage tests the application for performance, resilience, and reliability. Any issues detected will likely require a patch or some other form of remediation, and in worse-case scenarios, developers may need to go back to the drawing board.
To illustrate shift left and shift right, imagine baking a cake and accidentally replacing the sugar with salt. Shift-right testing would be like tasting it after you take it out of the oven. Would it not be a shame to go all the way to the end of the baking process before realizing the cake tastes salty instead of sweet? Shift-left testing, on the other hand, would be like tasting the batter right during mixing. You would immediately realize something is wrong and start over.
Keeping Security to the Right is No Longer an Option
Keeping security to the right is no longer cost-effective as vulnerabilities become more costly to fix the later they are discovered in the project. That is not to say that shift right is not important, but keeping security testing to the right means spending time and resources fixing issues during production that could have been addressed quickly or even avoided earlier in the project.
Going back to the cake illustration, tasting it after baking would make sure you do not serve a salty cake to your guests, and that is a good thing, but avoiding the salty cake altogether is even better. Therefore, the best practice in DevSecOps is to use both shift-left and shift-right security testing in their proper place.
Seven Benefits of Shift-Left Security
The attraction of shift-left cybersecurity is that it benefits all collaborators in DevSecOps, from business leaders to developers, testers, and security teams. Consider the following benefits:
- Collaboration: With security testing moving left to the planning and design stage, all teams involved are encouraged to collaborate. This impacts the end product positively.
- Product quality: Because security issues are anticipated and remediated early, and because relationships between developers, testers, security teams, and IT operations staff are streamlined, the resulting product will likely be of higher quality.
- Increased adaptability: Developers who work closely with security teams and IT operations staff are more likely to be more adaptable and flexible.
- Project speed: Automation ensures faster development while detecting and addressing issues early means that the project may move at a better speed.
- Cost savings: A smoothly running project where the finished product is the result of professional collaboration will save money by bringing the project to completion on time and on budget. Early detection means issues can be resolved with fewer resources and less downtime, also resulting in savings.
- Proper documentation: Collaborating teams will produce comprehensive documentation of the product development, making future maintenance and upgrades easier and more cost-effective.
- User satisfaction: Real-world users will likely be more satisfied because the released software will have little to no bugs or performance issues. It will not likely become a security vulnerability to their system, and it will likely meet design expectations.
Four Simple Steps to Implement Shift-Left Security in Your Organization
No two development projects are the same, so decisions on how to implement left-shift and right-shift security may differ in the details. But here are four steps considered best practices when implementing shift-left security:
- Define the policies: Establishing security policies and protocols before a project begins ensures that your team will be able to create the necessary models for shift-left security testing.
- Apply security fixes during coding: The founding principle of shift-left security is to detect and remediate issues in the developmental stages. As soon as an issue is identified, address it and fix it. Predefined communication standards and verification cycles are essential for developers and testers to collaborate on this.
- Provide ample visibility: The goal is to maintain the security of the software during development and after release, so all collaborating teams need complete visibility into security and performance. Departmental compartmentalization is not an option.
- Leverage automation: Shift-left security is often about anticipating security issues and monitoring development, so it relies heavily on modeling and automated processes. For example, code can be analyzed at specific checkpoints, and alerts can notify security teams of probable issues.
Challenges Enterprises May Face While Shifting Left
Making the shift left entails challenges that enterprises may have to overcome, but the idea of a shift to the left is to address many of these issues to begin with. So it is actually par for the course. Your shift-left strategy will likely resolve some of these issues automatically:
- Coders may be unaware or untrained regarding security: Developers focus on coding software, but that does not automatically mean they are up to speed on security issues and common threats. However, collaboration with the security team means knowledge will be shared and documented.
- Strained relations between dev, InfoSec, and ops: Sometimes relationships between these players may be less than cordial, but a shift left in security testing means they all need to get along. Even more, they all need to contribute.
- Delayed onboarding: Even where relationships are not strained, it may be that in previous development projects, InfoSec or IT staff were brought in late, particularly in organizations where the testing strategy was kept to the right. A shift left means that dev, InfoSec, and ops will all need to be onboard from the planning stage.
- Staff shortages: For some enterprises, there may not be enough qualified members of InfoSec and ops teams to be present and collaborate at the start of a new project.
Key Considerations While Implementing Shift Left in Your Enterprise Security Strategy
Shifting left at an enterprise level is a significant challenge of its own. It constitutes a change of culture among developers, testers, security teams, and others, and it demands a change in strategy at all levels of an organization. So here are additional key points to factor in:
- Automation: A shift left for enterprises must embrace automated build, security checks, and testing.
- Testing tools: Leverage the tools available for implementation and testing, such as Static Application System Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and so on.
- Threat modeling: No matter what threat modeling format your organization decides to use, it requires all teams to maintain a security focus throughout the project.
- Secure frameworks: Secure software development lifecycle (SDLC) frameworks ensure procedures are followed at each stage, and issues are identified early in development.
The Role of Shift-Left Testing in Cybersecurity
Because a shift-left cybersecurity strategy solidifies better relations between DevOps and cybersecurity teams, the result is software security that is more intrinsically linked to software development, improving the security posture of the organization.
Some of the benefits mentioned already, such as cost savings and faster delivery schedules, may “advertise” the shift to the left. But what makes it work both in the short term and long term is improved relationships and the earlier integration of security in development.
How Technology Can Help You Shift Security to the Left
As mentioned, part of a good shift-left strategy, especially for enterprises, is leveraging the available tools for testing. Each tool serves a different purpose and tests the product differently.
Static Application System Testing (SAST)
SAST is used to scan the source code itself for vulnerabilities. This is referred to as white-box testing, and the results include recommendations for remediation of any discovered issues. This kind of testing is the earliest that can be initiated in shift-left security.
Dynamic Application Security Testing (DAST)
DAST is a kind of black-box testing, where the application in development is exposed to a variety of common attacks. The results may indicate security vulnerabilities as well as runtime configuration issues.
Interactive Application Security Testing (IAST)
IAST is a hybrid marriage of SAST and DAST. It analyzes the application under development and monitors its behavior when exposed to a series of manual and automated tests simulating attacks within a controlled sandbox.
Runtime Application Self-Protection (RASP)
RASP runs in integration with the application during runtime to prevent attacks. It blocks execution based on either user behavior or traffic.
Software Composition Analysis (SCA)
SCA is an automated tool for cataloging and analyzing open-source components used in software development. It scans for licensing issues, build versions, dependencies, and vulnerabilities, and it can be used to manage those components throughout the SDLC.
Web Application Firewalls (WAF)
WAFs monitor and protect web applications against a variety of threats, such as malware and zero-day exploits. They block any malicious HTTP/HTTPS traffic that attempts to compromise the web application security.
How Fortinet Can Help?
Fortinet offers a platform for continuous application security testing for enterprises embracing shift-left application security. FortiDevSec works with most CI/CD platforms, where it remediates and detects vulnerabilities. This gives developers the ability to quickly build, test, and implement applications that improve business processes—without sacrificing security.
What is shift-left security?
To shift left on security means to include security in the planning and creation stage. Because there is no product to test during those stages, security modeling helps to anticipate security needs and reduce issues later in development.
What are the benefits of implementing a shift-left strategy?
Some of the benefits of shifting left are streamlined collaboration, improved product quality, increased adaptability among developers, faster delivery speed, cost savings, proper documentation, and increased user satisfaction.
Why does DevOps recommend shift left?
A shift left solidifies better relations between DevOps and cybersecurity teams, and the result is that software security is more intrinsically linked to software development, improving the security posture of the organization.