Shifting Left on Security and Software Delivery

Written by

There are around 21 million software developers worldwide, according to Evans Data’s Global Developer Population and Demographic Survey for 2016. They will all be somehow involved in the way software development delivers value to their businesses.

Many of these developers will have already adopted agile methodologies to improve how quickly they can provide their businesses’ customers with what they want.

The DevOps movement began as an effort to support the process of deploying software developed using agile methods into production environments. Alongside learning how to support continuous deployment and continuous integration, operations and quality assurance teams worked together to get more testing carried out earlier in the development process.

Under the term ‘shift left testing’, these IT teams have learned to collaborate in order to deliver software faster, with fewer flaws, and have it run in production.

However, the need for security is often overlooked in the coding and implementation phases of software development, delaying the identification of many serious issues that aren’t caught until production and then must sent back for fixes. While this keeps our companies secure, it can lead to problems over time.

Shifting left on security

For IT security teams – and for CISOs in particular – getting involved earlier in the development process represents a big opportunity to reduce both risk and cost. From the risk side, spotting potential issues or vulnerabilities in the development process means they can be fixed earlier, and before a product or service goes live. Being able to do this can avoid embarrassment and production delays so common with failed security assessments, not to mention the brand impact to the team or company.

On the cost side, fixing problems earlier in development can be far cheaper than doing so in production. According to an IBM study, it costs 100 times more to fix a problem in production compared to the initial design phase. This cost avoidance should offer a huge incentive to get security, development and operations teams collaborating.

So why haven’t CISOs been able to get involved here and bridged the gaps already? This could partly be due to the walls that can exist between teams in large enterprises. When teams operate in silos with their own goals, there’s no incentive to work together as the metrics for success don’t reward those efforts. Breaking these silos down will therefore be needed.

The other potential hurdle is more personal: no-one likes or wants their work to be criticized, let alone in public. When IT security teams flag issues within software, this can lead to large amounts of necessary rework and also to bruised egos. For security teams, this element of human nature can throw up a massive barrier for collaboration with developers.

Looking at how to encourage more collaboration around DevSecOps will therefore require a bit more thought than simply looking at new IT tools. For CISOs and security leaders, it will be important to get backing from the overall CIO within the business in order to make changes to how teams collaborate.

Based on this support, CISOs can help get security considerations added into the design and development phases of software. Once that groundwork is laid, the IT security team can provide access to tools that allow developers to check their code and integrations before putting anything into production. This ‘self-service’ model for security can help developers avoid some of the more common risks around vulnerabilities entering the testing and deployment phases.

As a result, developers can reduce the amount of rework that can be required, and cut out problems in both their code and any common frameworks that are used within the software. On a personal level, encouraging developers to ‘mark their own work’ rather than relying on IT security to do this can help avoid some of the fundamental political problems that might arise.

The future for DevSecOps

Security has a chance to be part of DevOps from the beginning. Rather than being seen as a barrier to innovation, security teams can enable the business to launch new applications that are both highly scalable and highly secure from the start. With companies old and new all looking to capitalize on new market trends like the Internet of Things, making it easier to roll out software that is secure by design will provide an essential platform for companies to achieve success over time.

Evangelizing about the role of security can be a thankless task when it is viewed on its own. However, when security joins with DevOps, this combined team can have a greater voice in organizations that are just trying to figure out how to achieve digital transformation goals. In essence, the CISO can act as a Trust Advisor on IT issues and how these can be overcome, rather than covering Security issues on their own.

Companies want to accelerate their operations and capitalize on new opportunities. DevSecOps collaborations can ensure that these ambitions are met and goals are achieved in a swift and secure fashion.

What’s hot on Infosecurity Magazine?