Shift It Right, Too?
July 09, 2019

Brook Schoenfield
IOActive

"Shift Left" has become an ever-present meme amongst DevOps and the security folk concerned about or working with DevOps. To "shift left" means to attend to something as early in development as possible, based on the assumption of left-to-right mapping of development activities.

Whether the activity is design, testing, or even operational activities, timeliness provides benefit. Obviously, the earlier we attend to security fixes, or really, any issues, the better.

Much data has been assembled about the benefits of finding and fixing bugs as early as possible; there should be little controversy about the efficacy of "shifting fixes left." At the heart of "shift left" is preparedness, planning, and appropriate timing of activities, all of which are signs of a mature development process. And, to my mind, these values are part of the DevOps revolution as teams break down artificial role boundaries and convert operational tasks into code.

Secure design's place has been at the "right side" of development, that is, early in the process, before designs are baked and it becomes too late to build security needs as a part of building software. Numerous Secure Development Life cycles (SDL or S-SDLC) and security standards explicitly place tasks like architecture risk assessment (ARA) and threat modeling early during development. This is not new: one of the first standards describing early security requirements is NIST 800-14, published in 1996! Though many organizations still struggle to identify security requirements early enough, there should be little doubt about the need to start designing security early in a development process. Importantly for this discussion, these critical design activities have typically been seen as right-side (early) only, or worse, single, point-in-time activities.

Experience, especially with iterative development approaches, has taught me that seeing design as only right-side (beginning), or worse, a point-in-time task is a mistake, as equally destructive as late-cycle security tests, or worse, identifying security needs after software has been built.

Once we start thinking iteratively, it becomes clear that point-in-time SDL tasks are more likely to gum up the works, to become an impediment because security isn't matching the way that software is built. Often, several development tasks are taking place in parallel. Among these will be:

■ Refine architecture

■ Specify design

■ Draft code

■ Test

■ Release software

■ Ongoing sustainment and operations

The above activities quite often all occur simultaneously. Each activity has particular security responsibilities which are best executed as a part of that portion of the work. Threat models must be refined as architecture is solidified; security requirements must be specified as part of designs; code is best checked for security errors as it's drafted; obviously, security is something that must be proved right along with everything else that's been implemented.

In fact, in my humble experience, allowing threat models to iterate leaves room for security requirements to improve just like the code is expected to improve through iterative development methods like Agile.

We might say, "shift secure design right," in comparison to "shift security left." But that doesn't really capture the spirit of iteration, continuous delivery, or DevOps, to my thinking.

Would it be more precise to say, "continuous security"? Thinking about security as a continuous process fits well with Continuous Integration/Continuous Delivery (CI/CD) and Agile models. Though, perhaps "continuous security" is less meme-worthy?

Let me at least point out the trouble that point-in-time threat models generate, particularly in the context of rapid or continuous development strategies. Too often, point-in-time security requirements that are never adjusted for subsequent learnings and changes result in requirements that have not, cannot, will never be implemented as specified. That's a loss for everyone involved.

If you prefer to say "shift left," then by all means, let secure design tasks "shift right" as well. I think of SDL security tasks as "continuous":

■ Give developers the tools they need to check code for coding mistakes.

■ Threat model throughout structure and design changes.

■ Have penetration testing prove security requirements and assumptions, enabling an organic feedback to revise requirements and assumptions.

Above all else, break down artificial role barriers that slow us down and obscure shared responsibilities.

Brook Schoenfield is Advisory Services Director at IOActive
Share this

Industry News

June 12, 2025

Oracle has expanded its collaboration with NVIDIA to help customers streamline the development and deployment of production-ready AI, develop and run next-generation reasoning models and AI agents, and access the computing resources needed to further accelerate AI innovation.

June 12, 2025

Datadog launched its Internal Developer Portal (IDP) built on live observability data.

June 12, 2025

Azul and Chainguard announced a strategic partnership that will unite Azul’s commercial support and curated OpenJDK distributions with Chainguard’s Linux distro, software factory and container images.

June 11, 2025

SmartBear launched Reflect Mobile featuring HaloAI, expanding its no-code, GenAI-powered test automation platform to include native mobile apps.

June 11, 2025

ArmorCode announced the launch of AI Code Insights.

June 11, 2025

Codiac announced the release of Codiac 2.5, a major update to its unified automation platform for container orchestration and Kubernetes management.

June 10, 2025

Harness Internal Developer Portal (IDP) is releasing major upgrades and new features built to address challenges developers face daily, ultimately giving them more time back for innovation.

June 10, 2025

Azul announced an enhancement to Azul Intelligence Cloud, a breakthrough capability in Azul Vulnerability Detection that brings precision to detection of Java application security vulnerabilities.

June 10, 2025

ZEST Security announced its strategic integration with Upwind, giving DevOps and Security teams real-time, runtime powered cloud visibility combined with intelligent, Agentic AI-driven remediation.

June 09, 2025

Google announced an upgraded preview of Gemini 2.5 Pro, its most intelligent model yet.

June 09, 2025

iTmethods and Coder have partnered to bring enterprises a new way to deploy secure, high-performance and AI-ready Cloud Development Environments (CDEs).

June 09, 2025

Gearset announced the expansion of its new Observability functionality to include Flow and Apex error monitoring.

June 05, 2025

Postman announced new capabilities that make it dramatically easier to design, test, deploy, and monitor AI agents and the APIs they rely on.

June 05, 2025

Opsera announced the expansion of its partnership with Databricks.