 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
As the complexity and frequency of cyber threats increase, we need to rethink how we create software and evolve our processes to achieve security.
This article addresses changes your organization can make in the way you develop applications and the different mindset that is required. Specifically, we’ll talk about what it means to shift left and how this approach promotes a security-first mindset throughout the software development life cycle (SDLC) — from coding and building through deployment and runtime.
When you view the software development life cycle from left to right, tasks such as testing and security analysis were traditionally on the right. The problem with this approach is that when these tasks revealed bugs and vulnerabilities in the code, it would send the project back to the development phase to resolve them, adding significant time and expense. The shift-left philosophy aims to move these activities earlier in the software development process. Let’s talk about how to do this and, more importantly, why it’s essential for modern software development.
When your organization adopts a shift-left culture, you begin the design of a new solution with testing and security as part of the design. When you approach the design phase of a new project, you must ask the following questions:
Integrating shift-left security and testing into the design phase results in more secure and testable solutions. The resulting solutions are easier to maintain, and they save your organization time and money. When your production code is fortified and well-maintained, you also reduce the risks posed by potential cyberattacks.
Evolving a shift-left or security-minded culture doesn’t happen overnight. It requires an intentional investment in training and the reinforcement of those values in your engineering teams.
One organization I’ve worked for helped create such a culture by inviting engineers to participate in hacker training. A few days of gamified hacking challenges taught us to think like the enemy. The experience revealed several ways that a cybercriminal could exploit our software. Not only was the experience one of my most enjoyable career opportunities, but it changed how I looked at and developed solutions.
Investing in steps to change the development culture within your organization may require some initial funding. Still, the time you’ll save and the potential risk it helps avoid will yield significantly more savings over the life of your software projects.
Shifting left helps your engineering teams create more secure and maintainable solutions, but it doesn’t eliminate all the risks. Engineers are human; making mistakes and overlooking vulnerabilities can still happen.
While we can’t completely eliminate risks from our SDLC, we can reduce them by adopting shift-left practices. Fortunately, there are tools that we can include in the process to scan and evaluate our code for vulnerabilities and errors.
As with the security-first approach, these tools are most effective when introduced early in the process. Include code and vulnerability scans as part of an automated CI/CD pipeline to ensure they scan all new code and identify problems early in the process. It is significantly more effective to notify an engineer of a problem in their code shortly after they commit it to a repository than several days after the fact. This approach reduces context switching and ensures that we address risks in a timely fashion.
When designing the Orca Security platform, engineers were especially mindful of teams that adopt a shift-left approach to their software development practices. In addition to supporting integrated security and compliance scanning in the development process, the platform can also review container images and Infrastructure-as-Code (IAC) templates.
The platform’s holistic approach to vulnerability management also validates configurations and detects the accidental inclusion of credentials, and it can identify the presence of malware in included libraries and packages.
Organizations at the forefront of developing innovative technological solutions continue to move toward a shift-left approach to software development, which improves the quality of the solutions they build and deploy. If you would like to learn more about evolving a shift-left culture within your organization and how your teams can leverage the functionality available from the Orca Platform, download Orca’s “5 Requirements to Shift Security Left” ebook. You can also sign up for a free trial and walk through a demo of how the platform can support your organization’s security and risk-mitigation objectives.
Further Reading
