The Importance of Shifting Left

Start with software security earlier in the process.

At Intercept, we enable ISVs to build their applications using the power of Microsoft Azure. We often work with these ISVs to update or tweak their software development and/or delivery processes. Quite often this involves reviewing or creating CI/CD pipelines or workflows in Azure DevOps or GitHub Actions. This is where we start to think about shifting left.

In this article we explore the topic ‘shifting left’ by answering the following questions:

  • What is ‘shifting left’?
  • Why ‘shift left’?
  • How to ‘shifting left’?

What is Shifting Left?

‘Shifting Left’ is the practice of moving a phase of the software development process to the left when you consider the traditional software development life cycle. Specifically, it usually refers to the practice of tackling security and testing as early in the software design and development process as possible.

Why Shift Left?

In the traditional software development life cycle, security checks and assessments were often completed towards the end of the development process. This often led to conflicts between various teams due to differing priorities. For example, the development team might be focused on delivering the application, while the security team is focused on ensuring that any security issues are identified before going to production. In this case, the two teams are pushing in different directions, which can cause conflict.

Another drawback of security testing later in the process, is that you might end up having to accept some technical debt and workarounds to resolve identified security issues. Technical debt and/or workarounds can make an application expensive to support and could lead to performance issues in the future.

Shifting left, by dealing with security assessments early in the design and development process, provides many benefits when compared with the alternative. Coupled with adapting a continuous improvement and continuous security mindset, shifting left can realize numerous benefits to an organization including stability, agility, productivity, and speed to name a few.

By considering security concerns as early as the design stage in the development process, you are free to ensure that the software design is as secure as possible before your development team gets started with writing any code. To sum this up. By considering security at every stage of the software development journey you can turn, what could previously have been, conflict into improved cooperation and gains inefficiency.

How can we Shift Left?

Shifting left isn’t something you do just once, it’s a continuous journey. It’s something you should iterate over repeatedly. Let’s talk about some areas to consider while you think about shifting left.

 

1. Build cross-functional or multi-disciplinary teams

 Traditionally,  organizations separated their staff into siloes based on their skillsets. You might have a silo for developers, another for IT Ops staff, and another for security specialists. This meant that you often had separate teams working together which, as mentioned above, could lead to conflict and a “them and us” mindset. In the long term, this could be detrimental to staff morale and ultimately your business.

An alternative approach would be to embed multiple skillsets within the same team, thus creating a cross-functional or multi-disciplinary team. By creating a team with Developers, Testers, DevOps Professionals, and Software Security Specialists, you could increase efficiency and agility. Staff morale could also be boosted as your new team would be pushing towards the same goals.

 

2. Training

While not directly involved in the process of designing, developing, and securing your software, training is a very important aspect of “shifting left”. With the velocity at which technology changes, particularly in a cloud-first world, it is more important than ever to invest in training for your staff. Training can help keep skillsets, like secure coding practices, relevant and up to date.

By providing ongoing learning opportunities for your staff and, perhaps, building learning and certification goals into your staff performance reviews and progression planning, you can ensure that existing skillsets are kept sharp, and that new skills and ways of working are picked up along the way.

Ultimately, by making sure that learning journeys are supported, your business will benefit from secure, well-built software, as well as from engaged, forward-thinking staff. 

 

3. Partners

Another area not directly involved in the software development process but still important to consider as you focus more on the security and agility offered by shifting left are partners.

In a cloud-first world, it is likely that you as a software development company or ISV, partner with a service provider, like Intercept, who builds and maintains the platforms that your software runs on.

As much as it’s important to make sure your own staff is following secure development practices, it is equally important that your partners are following best practices when it comes to the creation and management of your platform. These best practices could include the authoring and maintenance of Infrastructure as Code (Iac), secure secret management, secure platform design, and more.

 

4. Adopt DevOps culture and working practices

 According to Microsoft (What is DevOps? DevOps explained | Microsoft Azure), “DevOps is the union of people, processes, and technology to continually provide value to customers.

As mentioned above, DevOps expands on the idea that previously siloed skillsets can work together to produce applications that are more secure, more reliable, and with increased stability.

From the same article referenced above, Microsoft also states that “By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build and achieve business goals faster.”

Some of the primary gains from adopting a DevOps methodology are agility and velocity. These and other benefits can allow businesses to go from design to release quicker, it can allow increased adaptability to industry/market trends.

These same principles can be applied to the idea of ‘shifting left’ or DevSecOps. This methodology, coupled with the cross-functional teams mentioned earlier, allows you to improve the security of your application constantly and consistently.

 

5. Continuously audit code

One very important aspect of ‘shifting left’ is to ensure that your application source code is constantly in a state of review. We recommend auditing your code after every commit to ensure that there are no secrets within the repo, whether hardcoded or within configuration files. Regular source code reviews can also help identify and combat areas of technical debt.

In a future article, we will discuss practical ways to add automation to this process to improve efficiency. 

 

6. Dependency checking

Dependency checking or supply chain management has been in the news a lot over the last couple of years. You might immediately think about the SolarWinds hack in 2020 as an example of this.

In software development, we often use libraries and software written by others to perform certain functions within our application stack. This allows us to add functionality to the application without having to “roll your own” or write your own version of said functionality.

While this approach saves time and money, it also comes with its own set of risks. What if the library or package that your application relies on gets compromised? What if you, inadvertently, pull the compromised code into your application? This could lead to the compromise of your own software as well as your client’s systems that run the software. This could then lead to major reputational damage for your business.

There are many ways to combat supply chain attacks by following some best practices for dependency management. Among these are version pinning, hash verification, and removing unused libraries and dependencies.

Google has a great article on the topic of dependency management here: Best practices for dependency management | Google Cloud Blog

 

7. Automate

You might be thinking, how can my business become more efficient, more agile, more secure, and more productive. The answer to that is automation. If you were to adopt the above recommendations without automating as many as possible, you would gain exactly the opposite of the benefits mentioned above.

In conclusion

The purpose of this article was to discuss the benefits of shifting left and to give you some things to consider. The items mentioned above are by no means an exhaustive list of recommendations. As mentioned before, “shifting left” is not a one-time change, it’s a constant, iterative process.

How we can help

Intercept works with Independent Software Vendors (ISVs), like yourself, every day. We specialize in helping our customers realize all the benefits the public cloud, and Azure in particular, has to offer.

Intercept can work with you, from any stage of your software development projects, to help you take advantage of cloud-native development practices, including helping you consider how best to ‘shift left’

In the next article, we will talk about practical ways that you can ‘shift left’ using DevOps tooling and automation.

We are currently working on a Security Ebook, don't want to miss it? Then leave your email address below and we will send you the ebook as soon as it is finished!

Possibly interesting as well:

Tags

  • Security & Compliance

Written by

Karl Cooke

Karl Cooke

Azure Architect