Is Shift Left the Gold Standard for Application Security?

Information security teams may be feeling a bit overwhelmed with all the application security advice raining on them from industry consultants and tools vendors. In the traditional software development model, developers build the software and hand it to the information security teams for quality assurance testing prior to deployment in the production environment. Many enterprises still operate with the “waterfall” mindset with a “big bang” authorization process at the end of the development cycle (prior to deployment).

Enter the Shift Left Movement

“Left Shift” moved developers to the front lines of application security by integrating security into the DevOps process. It is a lot easier to identify and fix code vulnerabilities in the development cycle compared to the deployment phase, where expensive remediation work may be needed.

More importantly, shrinking product release cycles and the fact that developers often outnumber security professionals 200 to 1 made left shifting a compelling proposition.

Security Is Playing Catch-Up With the Speed of DevOps

It is not uncommon for enterprises to do hundreds of builds everyday thanks to growing adoption of techniques, like microservices and web services.

However, developer training needs to change for friction-less alignment with DevOps practices. Traditional classroom training, where developers used to be forced to drink from a firehose, has outlived its utility. AppSec training needs to integrate and focus on modular learning components that are easy to digest and teach how to fix vulnerabilities.

How Best-in-Class Companies Are Handling AppSec

Enterprise leaders invest in modular AppSec training as a key competency. Autonomous teams comprising of developers, product managers and information security teams own full responsibility for the entire product life cycle from development to deployment.

Autonomous teams eliminate the silos, which can build up when responsibilities are demarcated. Left shifting also facilitates building a metrics orientation for continuous improvements.

Don’t get lost in the acronym soup of Agile, DevOps, SecOps, DevSecOps, etc. Are you focusing on automation in the remediation and verification process of your CI/CD pipelines?