Why the "Shift Left" Is Not Enough in a Digital Transformation World
October 04, 2022

Ravi Maira

The term "shift left" has been thrown around by the AppSec industry for years. "Left" refers to the earlier stages of the development process when depicted in a traditional waterfall process that begins with planning and ends with operations, and usually takes several months to complete. Traditionally, security testing was done near the end of this process, by dedicated security engineers, rather than the development team. Thus, "shifting left" meant moving security testing earlier in the development process, often automating into CI/CD. It can also include giving developers security tools to test their applications as they build.

The concept is a good one. The shorter the gap between adding a vulnerability and finding it, the cheaper it is to fix. But today, in the DevOps era, shifting left isn't quite as clear. Two key parts are missing.

The Left-To-Right Process Is Infinite

Firstly, there is no "left" in the continuous process that essentially does not end. The reason the DevOps process is often depicted as an infinite loop is because, well, it is one. The most innovative companies have realized that a process of rapid iteration, with smaller changes and enhancements, deployed quickly — often multiple times per day — will produce better results over time. Deploying small changes, and then observing the effect, allows these companies to be much nimbler and provide better digital experiences to customers.

However, this model does not leave room for a lengthy security testing phase. Automating security testing into the CI/CD process is a good step because it can prevent critically severe vulnerabilities from being deployed — by "breaking the build" if one is detected. But even though that is a bit late in the process, the developers have already checked in their code and are ready to move on to the next step. Breaking the build too often will become disruptive, so it should be reserved for the most critical vulnerabilities. But letting too many vulnerabilities through to avoid breaking the build isn't a good option either. Security needs to be built into the overall process rather than just one step — no matter how "left" that step is.

Secondly, the shift left doesn't reflect the change in ownership and drive for independent teams. The truly important change isn't whether you shift security testing, but rather, whether you shift the ownership of security to the developers. Pipeline tests that require security teams to review their results, either from false positives or required expertise, are also disruptive to the development process. Each developer team should be equipped and empowered to test for security issues as they work, and where they work — as they code in their IDEs, merge in repositories, and build in CI/CD, adapting to their workflows and skills. This doesn't involve handing developers a list of issues to remediate or giving them a tool designed for the security team. That causes friction and is likely to lead to developers failing to adopt the tools. They need developer-friendly tooling and the ongoing support of the security team, working in tandem toward one common objective.

So what does the shift left mean in 2022, in the midst of a digitally transforming world and where every company is essentially a technology company?

Application Security in the Digitally Transforming World

In today's environment, the shift-left strategy is something every enterprise is embracing for application security, which essentially involves putting security controls in at earlier stages of development. It's a nip-the-problem-in-the-bud approach where security controls in their respective domains highlight potential security weaknesses related to vulnerabilities in code, vulnerabilities in third-party packages and code-quality issues. It also allows security to keep pace with agile development methodologies while managing new risks introduced by cloud technologies.

However, if you have to pick a direction, you should focus less on shifting left and more ongoing top to bottom. This means replacing a controlling, dictatorial security practice with an empowering strategy. One where developers are able to move faster whilst simultaneously reducing the risk of deploying broken infrastructure. Security should not be viewed as a tool that slows things down, but rather as a key aspect of the development process that enables developers to ship secure, reliable solutions without too much trouble.

Moving testing earlier in the process, essentially left, does not help organizations scale. The most tech-forward companies in the world are setting the pace through rapid iteration and multiple deployments each day. Moving left will identify problems earlier, but can increase the backlog of vulnerabilities that require addressing. To move at scale and in sync with the cloud, a top-to-bottom approach focused on three changes called dev-first security should be implemented.

Empowering Developers to Build Securely Through the Entire Process

The dev-first approach to security requires organizations to move security into the heart of the development delivery life cycle, changing ownership of actions and adjusting existing attitudes towards security. The mindset that "developers build" and "security secures" must be adjusted as it does not and will not work in the digital era. Developers should be encouraged to move fast and directly provision applications to the cloud through existing applications by removing manual processes and the need for additional IT assistance. Developer teams need to have access to all the pieces of security controls that, as of today, are being built into the pipeline.

To further modernize the shift-left approach to security, responsibilities must be passed on to those creating software. Continuous security must be integrated throughout, starting as far left as the Integrated Development Environment (IDE) where the code is built, extending all the way into monitoring applications and production once deployed. This way vulnerabilities are found as early as possible when it is the easiest and least costly to fix them, which is where and how you scale security.

App development is so critical to every company's success these days — getting new apps and capabilities delivered to drive strategic goals. This approach to security supports the pace of innovation that is too fast for security alone to handle. With the scale of developer teams compared to security currently sitting at 8 to 1 per company, security teams must be given the tools to make developers successful during the development process.

This approach doesn't involve companies skimping out on security and focusing solely on developers, but maintaining security as the overarching goal for each department including the CISO and those working across AppSec, DevSecOps and ProductSec.

Ravi Maira is Global VP - Partnerships, Alliances, Channel and GSI at Snyk
Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1