Home » Cybersecurity » Application Security » Shifting Left Is a Lie… Sort of

Shifting Left Is a Lie… Sort of

It would be hard to be involved in technology in any way and not see the dramatic upward trend in DevOps adoption.

In their January 2019 publication “Five Key Trends To Benchmark DevOps Progress,” Forrester research found that 56 percent of firms were ‘implementing, implemented or expanding’ DevOps. Further, 51 percent of adopters have embraced DevOps for either all new or all applications. Clearly, DevOps adoption is here and growing. As with any significant technology development, however, security is an important and oftentimes secondary consideration for many organizations. Some even view it as an obstacle to adoption for a period of time.

We’ve seen this pattern before with virtualization, and we’re still seeing it with cloud. Where are we with security and DevOps, then?

Tripwire recently conducted a survey in order to better understand the current status of security and DevOps.

The results showed that a vast majority of respondents (94 percent) are concerned about container security, with the highest percentages lacking knowledge (54 percent), visibility (52 percent) and the ability to assess containers prior to deployment (43 percent). And the concern isn’t unfounded. Sixty percent of respondents have had container security incidents in the last year. So while adoption continues to grow, security is a big issue for DevOps, especially for containers.

The resounding solution being promoted in the market is to ‘shift left.’ That is to say, move the application of security controls from the Ops side of the DevOps lifecycle to the Dev side. After all, identifying and addressing security findings prior to deployment is always better than in production. There’s nothing wrong with this statement. It’s accurate. But there are lies to be uncovered in this mantra of ‘shift left.’

Lie #1: Ops security isn’t really important if you shift left

It’s (Read more...)