Shift Left :: Make AppSec Great Again
In my last blog post, I discussed the current state of Application Development and Cyber Security, specifically around there still being a bifurcation between the teams. The transition from Waterfall methodology and its associated Dev/Test environments to Agile and Continuous Delivery resulted in the Security team being left behind in the software development lifecycle. Application Security testing is performed as post deployment process and is often performed on a semi-regular basis at-best.
The Rise of the Developer
The technology world is rapidly shifting to an application-centric one where developers are being asked to deliver more features at a much faster velocity. The result is that developers now possess much more buying influence power in the Enterprise sales cycle. An unfortunate side effect is that, due to the disparate nature of the existing application security tool sector, application security solutions have moved further to the right in the entire software development lifecycle. Application vulnerability scanning and code analysis, both static and interactive, are performed manually and on a scheduled basis, not inline with CI/CD.
Shift Application Security Left
The current state of Application Security is one where systems and applications send alerts and logs to a centralized system, typically a SIEM, and the Security Operations Engineers are then forced to comb through vast amounts of data to search for any vulnerabilities or anomalies. There is no possible way that this approach can continue to scale, and the way to start moving the needle in a positive direction for Application Security is to move security scanning and testing to much earlier in the development and release process. By “shifting left”, the Security team now starts developing a much deeper understanding of the application and how it functions, which is helpful in the context of understanding where any vulnerabilities may exist.
A virtuous side-effect of “shifting left” is creating a more collaborative environment for Development, Operations, and Security. By creating a culture of empathy that is powered by automation and sharing, the end state of “DevSecOps” with continuous application security testing is one where vulnerabilities are either discovered prior to Production deployment, or more rapidly remediated.