Shift It Right, Too?
July 09, 2019

Brook Schoenfield
IOActive

"Shift Left" has become an ever-present meme amongst DevOps and the security folk concerned about or working with DevOps. To "shift left" means to attend to something as early in development as possible, based on the assumption of left-to-right mapping of development activities.

Whether the activity is design, testing, or even operational activities, timeliness provides benefit. Obviously, the earlier we attend to security fixes, or really, any issues, the better.

Much data has been assembled about the benefits of finding and fixing bugs as early as possible; there should be little controversy about the efficacy of "shifting fixes left." At the heart of "shift left" is preparedness, planning, and appropriate timing of activities, all of which are signs of a mature development process. And, to my mind, these values are part of the DevOps revolution as teams break down artificial role boundaries and convert operational tasks into code.

Secure design's place has been at the "right side" of development, that is, early in the process, before designs are baked and it becomes too late to build security needs as a part of building software. Numerous Secure Development Life cycles (SDL or S-SDLC) and security standards explicitly place tasks like architecture risk assessment (ARA) and threat modeling early during development. This is not new: one of the first standards describing early security requirements is NIST 800-14, published in 1996! Though many organizations still struggle to identify security requirements early enough, there should be little doubt about the need to start designing security early in a development process. Importantly for this discussion, these critical design activities have typically been seen as right-side (early) only, or worse, single, point-in-time activities.

Experience, especially with iterative development approaches, has taught me that seeing design as only right-side (beginning), or worse, a point-in-time task is a mistake, as equally destructive as late-cycle security tests, or worse, identifying security needs after software has been built.

Once we start thinking iteratively, it becomes clear that point-in-time SDL tasks are more likely to gum up the works, to become an impediment because security isn't matching the way that software is built. Often, several development tasks are taking place in parallel. Among these will be:

■ Refine architecture

■ Specify design

■ Draft code

■ Test

■ Release software

■ Ongoing sustainment and operations

The above activities quite often all occur simultaneously. Each activity has particular security responsibilities which are best executed as a part of that portion of the work. Threat models must be refined as architecture is solidified; security requirements must be specified as part of designs; code is best checked for security errors as it's drafted; obviously, security is something that must be proved right along with everything else that's been implemented.

In fact, in my humble experience, allowing threat models to iterate leaves room for security requirements to improve just like the code is expected to improve through iterative development methods like Agile.

We might say, "shift secure design right," in comparison to "shift security left." But that doesn't really capture the spirit of iteration, continuous delivery, or DevOps, to my thinking.

Would it be more precise to say, "continuous security"? Thinking about security as a continuous process fits well with Continuous Integration/Continuous Delivery (CI/CD) and Agile models. Though, perhaps "continuous security" is less meme-worthy?

Let me at least point out the trouble that point-in-time threat models generate, particularly in the context of rapid or continuous development strategies. Too often, point-in-time security requirements that are never adjusted for subsequent learnings and changes result in requirements that have not, cannot, will never be implemented as specified. That's a loss for everyone involved.

If you prefer to say "shift left," then by all means, let secure design tasks "shift right" as well. I think of SDL security tasks as "continuous":

■ Give developers the tools they need to check code for coding mistakes.

■ Threat model throughout structure and design changes.

■ Have penetration testing prove security requirements and assumptions, enabling an organic feedback to revise requirements and assumptions.

Above all else, break down artificial role barriers that slow us down and obscure shared responsibilities.

Brook Schoenfield is Advisory Services Director at IOActive
Share this

Industry News

July 01, 2020

JFrog announced the launch of ChartCenter, a free, security-focused central repository of Helm charts for the community.

July 01, 2020

Kong announced a significant upgrade to open source Kuma, Kuma 0.6, available today.

July 01, 2020

Compuware Corporation, a BMC company, announced new capabilities that further automate and integrate test data and test case execution, empowering IT teams to achieve high-performance application development quality, velocity and efficiency.

June 30, 2020

Couchbase announced the general availability of Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).

June 30, 2020

Split Software announced new capabilities designed to accelerate the adoption of feature flags in large-scale organizations.

June 30, 2020

WhiteHat Security announced a discounted Web + Mobile Application Security bundle to help organizations secure the digital future.

June 29, 2020

Puppet introduced the public beta availability of Relay, an event-driven automation platform.

June 29, 2020

D2iQ introduced KUDO for Kubeflow to simplify and accelerate machine learning (ML) deployments on Kubernetes.

June 29, 2020

Codefresh announced $27M in new funding led by Red Dot Capital Partners.

June 25, 2020

Micro Focus announced the general availability of Visual COBOL 6.0 and Enterprise Suite 6.0, providing versatile application, process and infrastructure modernization solutions for today’s enterprise developer.

June 25, 2020

SaltStack announced new features available in SaltStack Enterprise 6.3 that integrate best-of-breed IT monitoring and vulnerability management solutions, including Splunk, Tenable, Qualys, Rapid7, and Kenna Security.

June 25, 2020

Keysight Technologies has completed the acquisition of Eggplant from The Carlyle Group.

June 24, 2020

JFrog unveiled new capabilities to address the growing problem of software distribution bottlenecks. The newly introduced CDN-based and Peer-to-Peer software package distribution mechanisms empower companies to overcome the challenge of frequently delivering large volumes of artifacts to internal teams and external clients.

June 24, 2020

Copado announced its Summer 20 release to accelerate, optimize and measure innovation delivery on the Salesforce platform.

June 24, 2020

Bugsnag launched Stability Center, a centralized location that offers a holistic view into stability stats and trends across releases for multiple client and server-side applications.