An Introduction to Shift-Left Security

Eric Kedrosky

July 7, 2020

Software is rising in cost and complexity every year, making it harder for companies to iterate and compete. This is especially true in the current economic environment, where organizations are faced with tight budgets and, in some cases, reduced technical teams. In many cases, IT decision makers are increasingly asking technical workers to do more with less.

Companies can significantly reduce the time and cost of software development by “shifting left.” This strategy involves building continuous integration and continuous development (CI/CD) pipelines, and integrating automated software testing throughout all levels of production, from planning to monitoring. 

Shifting left involves testing earlier in the development process instead of saving it until the very end. This strategy can save money and time while reducing or even eliminating bugs. This is a strategy that originally emerged back in 2001 is becoming increasingly popular among development teams today. 

Shift-Left Security: A Natural Progression

The shift-left strategy isn’t just for software testing. As it turns out, shifting left can also be applied to security and audit teams as well. 

Much like software testing, security isn’t typically applied until the final stages of software development. This makes it very difficult to catch and fix fundamental issues and vulnerabilities that are hiding in the code. Security has traditionally been kept separate from software development, but that process is now starting to change.

Security can now be built directly into the CI/CD pipeline, making it possible to catch problems long before applications goes to market. By embracing this strategy, security can become an ongoing dialogue during development between Cloud, Identity and Access Management (IAM), DevOps, and Security teams — instead of something that’s merely tacked on at the end of the process. Think of this as a holistic approach to security — not a last-minute fix. 

Why Shift Security Left?

There are virtually no drawbacks to using a shift-left security model. In fact, resisting this strategy only opens the door to countless risks that are easily avoidable.

With that in mind, let’s take a look at some of the benefits that come from adopting a shift-left security strategy.

1. Cost Savings 

The earlier you discover security defects, the cheaper they are to fix. Letting security issues go undetected until the final stages of production is guaranteed to drive up the cost of development.

According to IBM, remediating defects during design is roughly six times cheaper than during implementation. Addressing security issues during testing can be 15 times more expensive than doing so during design. 

2. Faster Time to Market 

In addition to saving money, shifting security left can help teams go to market much faster. Bugs can be discovered and eradicated early on, eliminating security bottlenecks from occurring in the final stages of development.

3. Risk Mitigation 

When security is separated from software development, vulnerabilities can easily slip through undetected and emerge after a product goes to market. This can result in costly security issues and force emergency patching or even recalls in certain situations. 

With a robust security solution built into the CI/CD pipeline, teams can create checkpoints or guardrails that can prevent software from moving forward when company policies are violated.

4. Create a Security Culture

Marrying security and development can provide valuable opportunities to promote security awareness and education among technical teams. In doing so, team members can achieve a greater understanding of how certain processes impact outcomes. 

This can lead to tighter collaboration and more efficient development strategies. The hope is that, over time, developers will be able to create code that is inherently more secure from the outset. 

How Sonrai Can Help Shift Security Left

Sonrai Dig, a platform for governing security policies, can help development teams create more secure software by providing a structure and governance framework that protects workloads as they move into production. 

Sonrai Dig accomplishes this using two types of intelligent bots.

1. Prevention Bots

Prevention bots act like cloud security enforcers, providing ongoing security monitoring throughout all stages of development. Prevention bots promote workloads only when risk policies are followed, thus eliminating security violations before they occur.

2. Remediation Bots 

Remediation bots provide an extra layer of protection. Remediation bots can work to address issues and prevent them from going into production should security errors be discovered.

In addition, Sonrai Dig offers code promotion blocks that only enable promotion when all risks are eliminated and governance standards are enforced. Blocks act as automated security clearances.

Best of all, Sonrai Dig provides context-based alerting, sending specific security alerts to individual teams who own problems. This can prevent unnecessary security messages from going out to workers, ensuring a smooth and efficient resolution process that avoids disrupting productivity. 

There are numerous reasons to shift security left as you can see. Merging security and development can yield immediate short-term gains while also helping to build a bulletproof development strategy that prioritizes security. 

Taking this approach can drastically reduce your chances of experiencing a data breach or security issue down the line. Add it all up, and shifting left enables you to ship more powerful software in less time, delighting your users along the way.
 
Learn more about Sonrai Dig. Join our webinar “Pillars of Cloud Security: How “Shift-Left” Enhances a Secure SDLC“. This webinar, presented by Dan Woods, technology analyst and founder of Early Adopter Research, and Eric Kedrosky, Director of Cloud Security Research and CISO of Sonrai Security, explains the benefits of adopting a shift-left approach to the software development lifecycle (SDLC) and suggests tactics that can bring the practice to life.