The philosophy to shift left is making headway in all sectors. Especially in IT, growing cyber perils are prompting radical change in organizations’ defense mechanisms. At the Information Security Summit in Cleveland, Stephen Foskett sat down with Leon Adato, Principal Technical Evangelist at Kentik, a frequent Tech Field Day presenter, to talk about this trend in software development and how companies can get the most out of it.
The Bottom-Line Value of Shift Left
The business world is combatting an ever-growing list of threats. Increasing instances of cyber breach is putting pressure on security teams to design more vigorous security mechanisms that can respond with maximum efficacy.
But why is the world shifting security left? The faster a bug is caught in the pipeline, the better the chances are of eliminating it at minimum damage. Shift left improves the chances of catching vulnerabilities early in the process and debug before they become attack vectors.
“If you look at a graph of when security bugs are introduced versus when they’re detected, the bugs are introduced way up in the development cycle,” says Adato.
Software vulnerabilities are progressively eroding away the trust of customers. A majority of these vulnerabilities exist in the code itself, Adato said. Part of the problem is that developers are not savvy about security things themselves as it is outside their niche. There is a knowledge and skill gap that is heavily undermined.
Not enough emphasis is laid on security in the development phases. “Nobody’s bonus is ever based on the security level of their code.”
Identifying security risks as a code quality issue would be the first step in the right direction, says Adato. Shifting left can not only improve the chances of discovering these problems early, but also correcting them before they become enormously costly.
“It costs almost nothing at the introduction phase, but then as it gets further toward production, the cost of fixing bugs becomes so much more,” he cautions.
The Most Efficient Path to Shift Left
But while shifting left helps organizations find better, faster ways to discover bugs and vulnerabilities, failing to execute it in a planned way too has its costs. It can bog down the speed and schedule of the development lifecycle.
“Often shift left means that you’re just dumping work on somebody, and they have absolutely no tools, capabilities or resources to deal with that work,” notes Adato.
So what can companies do to bring detection and response to the early stages, without putting too much burden on developers?
Adato says, “The problem is we want it, but we don’t enable it.”
Instead of presenting security in a separate process which comes with additional moving parts, it helps to integrate it organically into the cycle. “The idea is that you have to build things into the cycle so that it looks like a natural part of the process,” he says.
“Presenting the issues in the development environment itself so that developers never have to leave their IDE, and still see the problem just like they see any other element makes it so much easier and so much more natural to respond to,” he proposed.
There are tools available today that can do code scans for 0 day threats and so on. Using tools that make sense to developers that they can use as required to spot problems in the code is a great way to resolve security gaps in the early phases.
But it is important to bear in mind that the fixes work differently for data at rest and data in motion. “Tracing can tell you what code is running right now, and how it’s interacting with all the other elements and what’s happening with it, and raise a flag.”
So if your paraphernalia does not do this, Adato says, it’s time to get new tools.
For more, be sure to watch the full interview with Leon Adato from ISS Cleveland 2023.