“Shift left” is a popular paradigm in application security which refers to “Shift left” security or “Shift left” testing. We will discuss “Shift left security” in this blog post.
Security is always considered as an after thought for most software projects. This is just not a cliched line but something I have done earlier too! 🙂 We make sure the code is designed well, develop it and test it . Just before the project is deployed, the security team uncovers security issues which puts the brakes on software project and extends the application release date even further.
“What is Shift left security”?
In a traditional SDLC, there is no mention of security at all across the entire SDLC (I am not sure whether it is properly discussed even today) The detection of security bugs after the whole process will be sent back again to the development team. The entire development process will be repeated which slows the whole process down.
This is a representation of a typical SDLC where there is no mention of security anywhere!
There is a possibility that during the entire SDLC, the security team and the development team might not be seeing eye to eye for for many things because of these costly and time consuming changes and this will create further discord and difficulty for the project.
Shifting security left ensures that security best practices are incorporated into the SDLC(software development lifecycle) as early as possible. It also ensures that vulnerabilities and other bugs were caught much earlier and remediated instantly.
By shifting security to the left, we ensure that the development team, security team and the operations team work well together and the security team stitches security as early as possible to the project. In this age of speed and velocity, this also ensures that applications are released as early as possible with minimal glitches.
What are the advantages of “Shift left security”?
- Time is saved by incorporating security aspects as early as possible rather than later.
- Shift left security reduces cost by eliminating costly bug fixes later
- The development team, the security team and the operations team learn to work together…after all, what is the point of an organization if one cannot work together in tandem? 😉
- Applications can be released in a more timely fashion
How is “Shift left security” done?
We can implement “Shift left security” by employing these technologies:
- SAST(Static application security testing)
- DAST(Dynamic application security testing)
- IAST(Interactive application security testing )
Security can be shifted left by also educating developers about secure coding practices and not just getting the code to work. If the code is designed securely from the beginning, there will be no necessity of any costly bug fixes and the application will move into production much more quickly.
Last but not least, “Shift left security” also involves a completely different mindset for the whole organization. It has to be emphasized enough for the organization and all have to be trained to work towards it.