Start with software security earlier in the process.
At Intercept, we enable ISVs to build their applications using the power of Microsoft Azure. We often work with these ISVs to update or tweak their software development and/or delivery processes. Quite often this involves reviewing or creating CI/CD pipelines or workflows in Azure DevOps or GitHub Actions. This is where we start to think about shifting left.
In this article we explore the topic ‘shifting left’ by answering the following questions:
What is ‘shifting left’?
Why ‘shift left’?
How to ‘shifting left’?
What is Shifting Left?
‘Shifting Left’ is the practice of moving a phase of the software development process to the left when you consider the traditional software development life cycle. Specifically, it usually refers to the practice of tackling security and testing as early in the software design and development process as possible.
Why Shift Left?
In the traditional software development life cycle, security checks and assessments were often completed towards the end of the development process. This often led to conflicts between various teams due to differing priorities. For example, the development team might be focused on delivering the application, while the security team is focused on ensuring that any security issues are identified before going to production. In this case, the two teams are pushing in different directions, which can cause conflict.
Another drawback of security testing later in the process, is that you might end up having to accept some technical debt and workarounds to resolve identified security issues. Technical debt and/or workarounds can make an application expensive to support and could lead to performance issues in the future.
Shifting left, by dealing with security assessments early in the design and development process, provides many benefits when compared with the alternative. Coupled with adapting a continuous improvement and continuous security mindset, shifting left can realize numerous benefits to an organization including stability, agility, productivity, and speed to name a few.
By considering security concerns as early as the design stage in the development process, you are free to ensure that the software design is as secure as possible before your development team gets started with writing any code. To sum this up. By considering security at every stage of the software development journey you can turn, what could previously have been, conflict into improved cooperation and gains inefficiency.
How can we Shift Left?
Shifting left isn’t something you do just once, it’s a continuous journey. It’s something you should iterate over repeatedly. Let’s talk about some areas to consider while you think about shifting left.
1. Build cross-functional or multi-disciplinary teams
Traditionally, organizations separated their staff into siloes based on their skillsets. You might have a silo for developers, another for IT Ops staff, and another for security specialists. This meant that you often had separate teams working together which, as mentioned above, could lead to conflict and a “them and us” mindset. In the long term, this could be detrimental to staff morale and ultimately your business.
An alternative approach would be to embed multiple skillsets within the same team, thus creating a cross-functional or multi-disciplinary team. By creating a team with Developers, Testers, DevOps Professionals, and Software Security Specialists, you could increase efficiency and agility. Staff morale could also be boosted as your new team would be pushing towards the same goals.
2. Training
While not directly involved in the process of designing, developing, and securing your software, training is a very important aspect of “shifting left”. With the velocity at which technology changes, particularly in a cloud-first world, it is more important than ever to invest in training for your staff. Training can help keep skillsets, like secure coding practices, relevant and up to date.
By providing ongoing learning opportunities for your staff and, perhaps, building learning and certification goals into your staff performance reviews and progression planning, you can ensure that existing skillsets are kept sharp, and that new skills and ways of working are picked up along the way.
Ultimately, by making sure that learning journeys are supported, your business will benefit from secure, well-built software, as well as from engaged, forward-thinking staff.
3. Partners
Another area not directly involved in the software development process but still important to consider as you focus more on the security and agility offered by shifting left are partners.
In a cloud-first world, it is likely that you as a software development company or ISV, partner with a service provider, like Intercept, who builds and maintains the platforms that your software runs on.
As much as it’s important to make sure your own staff is following secure development practices, it is equally important that your partners are following best practices when it comes to the creation and management of your platform. These best practices could include the authoring and maintenance of Infrastructure as Code (Iac), secure secret management, secure platform design, and more.
As mentioned above, DevOps expands on the idea that previously siloed skillsets can work together to produce applications that are more secure, more reliable, and with increased stability.
From the same article referenced above, Microsoft also states that “By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build and achieve business goals faster.”
Some of the primary gains from adopting a DevOps methodology are agility and velocity. These and other benefits can allow businesses to go from design to release quicker, it can allow increased adaptability to industry/market trends.
These same principles can be applied to the idea of ‘shifting left’ or DevSecOps. This methodology, coupled with the cross-functional teams mentioned earlier, allows you to improve the security of your application constantly and consistently.
5. Continuously audit code
One very important aspect of ‘shifting left’ is to ensure that your application source code is constantly in a state of review. We recommend auditing your code after every commit to ensure that there are no secrets within the repo, whether hardcoded or within configuration files. Regular source code reviews can also help identify and combat areas of technical debt.
In a future article, we will discuss practical ways to add automation to this process to improve efficiency.
6. Dependency checking
Dependency checking or supply chain management has been in the news a lot over the last couple of years. You might immediately think about the SolarWinds hack in 2020 as an example of this.
In software development, we often use libraries and software written by others to perform certain functions within our application stack. This allows us to add functionality to the application without having to “roll your own” or write your own version of said functionality.
While this approach saves time and money, it also comes with its own set of risks. What if the library or package that your application relies on gets compromised? What if you, inadvertently, pull the compromised code into your application? This could lead to the compromise of your own software as well as your client’s systems that run the software. This could then lead to major reputational damage for your business.
There are many ways to combat supply chain attacks by following some best practices for dependency management. Among these are version pinning, hash verification, and removing unused libraries and dependencies.
You might be thinking, how can my business become more efficient, more agile, more secure, and more productive. The answer to that is automation. If you were to adopt the above recommendations without automating as many as possible, you would gain exactly the opposite of the benefits mentioned above.
In conclusion
The purpose of this article was to discuss the benefits of shifting left and to give you some things to consider. The items mentioned above are by no means an exhaustive list of recommendations. As mentioned before, “shifting left” is not a one-time change, it’s a constant, iterative process.
How we can help
Intercept works with Independent Software Vendors (ISVs), like yourself every day. We specialize in helping our customers realize all the benefits the public cloud, and Azure in particular, has to offer.
Intercept can work with you, from any stage of your software development projects, to help you take advantage of cloud-native development practices, including helping you consider how best to ‘shift left’
In the next article, we will talk about practical ways that you can ‘shift left’ using DevOps tooling and automation.
Possibly interesting as well:
AKS Security
Everyone is working hard on the new platform and then someone asks.. “What about security?”
A new quarter full of new innovations from Azure. Azure has certainly not been standing still! Nor is there any sign that things are getting quieter. Our expert will tell you more about Azure in this one-time special!
A new year full of new innovations from Azure. Azure has certainly not been standing still! Nor is there any sign that things are getting quieter. Join our expert for a look back at 2022 and forward to 2023!
Get your NEN 7510 certificate with Azure: tips for working safely in the cloud as a healthcare MSP
Help your healthcare clients make a safe transition to the cloud and achieve or maintain your NEN 7510 certification a lot faster with the tips from this blog.
How do you protect your organization against Ransomware?
Never waste a good crisis”, these famous words by Churchill could not be more relevant today as shown by the increasing number of ransomware attacks which have a significant impact on affected organizations and on our society.
In this article, I would like to focus on how you can grapple with the following topics: expertise management amongst personnel, IaaS vs PaaS, how you can keep pace with innovations, DevOps culture, cloud security, and framework.
What is Azure Cloud Governance and how do I apply it to my Environment?
Cloud technologies are relatively easy to implement. You can be up and running within minutes, but rushing at the start often leads to more work later on. That’s why it’s important for you to have a solid plan in place.
How does Azure deal with privacy, security and compliance?
Data security is growing importance. As an organization, you’re obliged – including under strict regulations – to handle your data with care. You don’t want your data to end up in the wrong hands either.
