The Next Big Thing in DevOps – Shift-Left Security
March 21, 2022

Tom Tovar
Appdome

Shift-left has been an important DevOps concept in recent years, and shift-left security is rapidly becoming the next big "shift" for DevOps/Agile development. In this model, app developers build app security, fraud prevention and anti-malware features into software as early as possible in the development cycle, instead of trying to code security in after an app is built.

In a DevOps environment, shift-left security means that protections that would have previously been implemented after code was "final" will take place alongside development during sprints, often starting even before coding takes place during the planning and requirements phase. The advantage that vulnerabilities are caught early, when they are faster and cheaper to fix, and security features are built alongside the rest of the app, which makes integration much more seamless. Building security into an app after the fact increases complexity.

No one should doubt the need to integrate security earlier into the development cycle, especially when it comes to mobile applications, as they are notoriously insecure. Even mobile banking apps have serious vulnerabilities. A white hat hacker who examined 30 apps from a variety of large global financial institutions found that 29 of the 30 mobile apps that she reverse engineered contained hardcoded API keys and tokens. Tokens include usernames and passwords to third-party services, which could enable a hacker to take over accounts, steal funds, and even access back-end servers to launch even more devastating attacks. Transportation, travel, healthcare and mobile health apps are often even less secure.

The Problem Isn't Laziness

It's not that mobile app developers are lazy. The problem is a fundamental mismatch between the objectives of the developer and security teams. Developers are tightly focused on improving specific KPIs for the mobile apps they develop: the number of screens per visit, the number of active users, ARPU (average revenue per user), crash rates and COCA (completeness, operability, correctness, and appearance), to name a few. To accomplish these goals, developers must deliver a finished app within a tight timeframe, which is critical to successfully compete in a crowded market, so they only have time to focus on features.

Security teams, on the other hand, are focused on protecting the app from attack. They are constantly working to improve the security of the mobile app. The work is complex and specialized, especially in the mobile world where iOS and Android each require a different set of security skills. Development teams use many different frameworks to build apps. This can be a problem if a team is depending on software development kits (SDKs) to implement security and other features, because the SDK may support all the frameworks, libraries and non-native code, plus all the myriad dependencies that must be accounted for. It's also labor intensive, which can significantly slow down delivery and increase costs.

Unlike DevOps, where as much as possible of the work is automated, security is still largely a manual process. Without automation, it's extremely difficult to shift left. Developers are constantly checking in code, right up until the last minute, which makes security alignment extremely difficult.

The Mostly Manual Security Mess

The way the process works right now creates a great deal of tension between developer and security teams. Here's how: The development team sends a release candidate to a third-party for penetration testing (pen testing) or they use a scanning tool to find vulnerabilities. Once vulnerabilities are identified, the security team works to address them. Because security wasn't incorporated from the beginning, there's no way to know how long it will take to fix any errors found. And as noted earlier, often the process of implementing security is manual, which may make it impossible to both meet the release deadline and deliver a secure product.

Organizations should seek out tools that enable them to use developer best practices to incorporate security features into an app, ideally so that teams can build security into apps without disrupting way they already build them today. When teams shift-left security in an automated way that doesn't conflict with existing processes, development and security teams can work together release secure mobile apps in a DevOps environment.

No-code platforms now exist that can build security into a mobile binary, with developers simply needing to include calls for the specific security protections required. Then, when the code is compiled into a binary, security will be implemented in a consistent manner. This doesn't mean that pen testing isn't required. DevOps teams still put software through QA, after all, no matter how automated their processes may be. But when teams shift-left security through automation, the consistent implementation of protections vastly reduces the number of vulnerabilities that need to be fixed. As a result, developers are able to deliver a full-featured release on time, and the security team can rest easy knowing that the app is secure.

Tom Tovar is CEO of Appdome
Share this

Industry News

December 06, 2022

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.

December 06, 2022

Wib announced API PenTesting-as-a-Service (PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in Business Logic.

December 05, 2022

Harness announced Harness Cluster Orchestrator to allow customers to optimize their Kubernetes cloud workload costs and realize up to 90% cloud cost savings with Amazon Elastic Compute Cloud (Amazon EC2) Spot instances from Amazon Web Services (AWS).

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.