During the RSA Conference 2023, the term ‘shift-left security’ became a topic of discussion among those interested in cloud-native security. While the term is used correctly at times, there is still a lot of confusion surrounding it. Those who criticize the concept often misunderstand what it means, which can be problematic when it comes to securing cloud applications. As an expert in covering developer-focused security, I released a 2022 report entitled “Walking the Line: GitOps and Shift Left Security” to examine how organizations can successfully shift left, what their challenges are, and how they can overcome them.
The shift-left security concept emerged in tandem with the move to cloud-native development. Cloud platforms for IaaS or PaaS make it easier and faster for developers to build software applications. They can now provision their own IaC, virtual machines, servers, and other infrastructure without needing to work with IT or operations. With these DevOps processes in place, organizations can scale development faster than traditional development cycles, thereby enabling faster release cycles and updates.
However, security became a bottleneck in the DevOps process, with developers reluctant to wait for security teams to perform testing. To overcome the bottleneck, organizations tried to shift left security responsibilities to developers. Security vendors began building security tools for developers to use, but they weren’t made with developers in mind. Developers, therefore, began creating their own tools, sharing them as open-source with other developers. Many organizations choose free open-source tools such as Trivy for vulnerability scanning, Checkov for IaC scanning, or Open Policy Agent for setting policies.
The above scenario is not efficient or scalable. It results in software being released without proper security checks, lack of visibility in the development process, and inconsistency across development teams. There have been several incidents resulting from insecure API use, code vulnerabilities, access issues, and misconfigured cloud services, among other factors. It has also been noted that security has limited visibility and control over the tools and processes developers are using.
Misconceptions and challenges associated with the terms ‘shift’ and ‘left’ have arisen from this scenario. These terms imply moving or shifting security responsibilities. While it is crucial to shift the responsibility of some security tasks to developers, security is still responsible for securing cloud applications. Security roles should evolve from doing all security tasks to focusing on risk mitigation and rapid response to threats or attacks.
Developers need to incorporate security processes such as setting policies and performing testing early in development. These processes enable them to catch and fix issues before releasing applications. When security issues occur, developers need tools to fix code promptly and efficiently. Thus, shifting-left is all about empowering developers to secure their applications better, enable security teams to scale, and support developers throughout the software development life cycle.
With traditional application development, we had linear, left-to-right product development processes from building, to testing, to staging, releasing before production. With modern development processes, we have continuous integration/continuous delivery pipelines, which allow us to build our cloud infrastructure and applications collaboratively. It enables rapid deployment and continuous updates, making it no longer linear but an infinity circle. Security needs to work closely with developers in this area to improve efficiency.
Security teams should stop thinking in silos and select tools for developers to use instead of relying solely on their expertise. Incorporating security processes and tools in every phase of the software development life cycle is crucial. With the right collaboration and feedback loops, security teams can shift some security tasks to developers while gaining visibility and control. This move will enable security teams to mitigate risks and ensure a swift response to threats or attacks, offering more secure and scalable cloud-native applications.