Shift It Right, Too?
July 09, 2019

Brook Schoenfield
IOActive

"Shift Left" has become an ever-present meme amongst DevOps and the security folk concerned about or working with DevOps. To "shift left" means to attend to something as early in development as possible, based on the assumption of left-to-right mapping of development activities.

Whether the activity is design, testing, or even operational activities, timeliness provides benefit. Obviously, the earlier we attend to security fixes, or really, any issues, the better.

Much data has been assembled about the benefits of finding and fixing bugs as early as possible; there should be little controversy about the efficacy of "shifting fixes left." At the heart of "shift left" is preparedness, planning, and appropriate timing of activities, all of which are signs of a mature development process. And, to my mind, these values are part of the DevOps revolution as teams break down artificial role boundaries and convert operational tasks into code.

Secure design's place has been at the "right side" of development, that is, early in the process, before designs are baked and it becomes too late to build security needs as a part of building software. Numerous Secure Development Life cycles (SDL or S-SDLC) and security standards explicitly place tasks like architecture risk assessment (ARA) and threat modeling early during development. This is not new: one of the first standards describing early security requirements is NIST 800-14, published in 1996! Though many organizations still struggle to identify security requirements early enough, there should be little doubt about the need to start designing security early in a development process. Importantly for this discussion, these critical design activities have typically been seen as right-side (early) only, or worse, single, point-in-time activities.

Experience, especially with iterative development approaches, has taught me that seeing design as only right-side (beginning), or worse, a point-in-time task is a mistake, as equally destructive as late-cycle security tests, or worse, identifying security needs after software has been built.

Once we start thinking iteratively, it becomes clear that point-in-time SDL tasks are more likely to gum up the works, to become an impediment because security isn't matching the way that software is built. Often, several development tasks are taking place in parallel. Among these will be:

■ Refine architecture

■ Specify design

■ Draft code

■ Test

■ Release software

■ Ongoing sustainment and operations

The above activities quite often all occur simultaneously. Each activity has particular security responsibilities which are best executed as a part of that portion of the work. Threat models must be refined as architecture is solidified; security requirements must be specified as part of designs; code is best checked for security errors as it's drafted; obviously, security is something that must be proved right along with everything else that's been implemented.

In fact, in my humble experience, allowing threat models to iterate leaves room for security requirements to improve just like the code is expected to improve through iterative development methods like Agile.

We might say, "shift secure design right," in comparison to "shift security left." But that doesn't really capture the spirit of iteration, continuous delivery, or DevOps, to my thinking.

Would it be more precise to say, "continuous security"? Thinking about security as a continuous process fits well with Continuous Integration/Continuous Delivery (CI/CD) and Agile models. Though, perhaps "continuous security" is less meme-worthy?

Let me at least point out the trouble that point-in-time threat models generate, particularly in the context of rapid or continuous development strategies. Too often, point-in-time security requirements that are never adjusted for subsequent learnings and changes result in requirements that have not, cannot, will never be implemented as specified. That's a loss for everyone involved.

If you prefer to say "shift left," then by all means, let secure design tasks "shift right" as well. I think of SDL security tasks as "continuous":

■ Give developers the tools they need to check code for coding mistakes.

■ Threat model throughout structure and design changes.

■ Have penetration testing prove security requirements and assumptions, enabling an organic feedback to revise requirements and assumptions.

Above all else, break down artificial role barriers that slow us down and obscure shared responsibilities.

Brook Schoenfield is Advisory Services Director at IOActive
Share this

Industry News

April 02, 2020

VMware announced the general availability of VMware vSphere 7, the biggest evolution of vSphere in over a decade.

April 02, 2020

Grafana Labs announced that Cortex v1.0 is generally available for production use.

April 02, 2020

IT Revolution announced new dates, extended pricing and its first round of confirmed speakers for DevOps Enterprise Summit Las Vegas 2020. Hosted at The Cosmopolitan of Las Vegas, DevOps Enterprise Summit will now take place November 9-11, 2020.

April 01, 2020

Compuware Corporation announced new capabilities that enable application development teams to automate performance tests early in the development lifecycle, helping large enterprises speed time to market and improve application performance—while decreasing the significant and unnecessary cost of wasted time.

April 01, 2020

PlanetScale released the newest version of PlanetScaleDB, a multi-cloud database.

April 01, 2020

Datawire announced the newest release of Ambassador Edge Stack that is designed to speed up the inner development loop.

March 31, 2020

Push Technology will provide Diffusion Cloud, Push Technology’s Real-Time API Management Cloud Platform, free for all existing customers and new customers developing systems in the cloud during these challenging times.

March 31, 2020

Rancher Labs announced the general availability of Rancher 2.4.

March 31, 2020

Kasten announced the general availability of Kasten K10 v2.5.

March 30, 2020

DevOps Institute, a global member-based association for advancing the human elements of DevOps, announced a new Open Testing program that removes the prerequisite of leveraging formal courseware to achieve certifications from DevOps Institute's extensive portfolio.

March 30, 2020

Oracle announced the general availability of Java 14 (Oracle JDK 14).

March 30, 2020

Akamai announced March 2020 updates to the Akamai Intelligent Edge Platform.

March 26, 2020

Redgate’s new SQL Monitor now ensures that DevOps teams can monitor and track deployments at all times.

March 26, 2020

Split Software announced a two-way data integration with Google Analytics that can instantly detect performance issues caused by new features.

March 26, 2020

Cloudreach earned the Kubernetes on Microsoft Azure advanced specialization.