You hear “shift left” tossed around in software development circles these days. It’s like the secret passphrase you need to know to get into the security club. Unless you’re still doing waterfall-style software development, there’s no time for a detailed security scan at the end of the software release cycle. So if you’re not shifting your security implementation left and baking it in from the get go, where is your security getting added? Spoiler alert: it’s not.
As Farshad Abasi (@Mirai_Sec), CTO for Mirai Security reminds us, the traditional “walled garden” approach to security based on a Web Application Firewall (WAF) is no longer viable (if it ever was). Rather, developers need to work hand in hand with security experts to build security into each requirement, story by story, since most security flaws occur in the requirements and design phase. For DevOps, it means building automated security tests into their CI/CD pipeline because resolving vulnerabilities in non-production is at least 50 times cheaper than resolving them in production.
But shifting left doesn’t mean just dumping security on the Dev/DevOps team. After all, most coders want to focus on what they do best - creating cool apps - rather than having to learn how to deal with the complexity of securing them.
We deep-dove into securing source code in this 60-minute “Inject Security into Source Code” webinar. Watch the on-demand recording now.
Time to Market vs Security
As Jacek Materna (@jacekmaterna), CTO for Assembla points out, spending on security solutions is at an all time high, but so are the number of breaches. So what's going on? According to the US Department of Homeland Security, 90% of security incidents are related to vulnerabilities in the code. But the software industry continues to emphasize speed to market over security. In other words, in the clash between the Chief Revenue Officer (CRO) & Chief Information Security Officer (CISO), revenue trumps security. The message is clear: developers must adopt tools that will allow them to add security into their development process without slowing them down.
At ActiveState, we believe in baking security and compliance right into the source code so your developers start with a clean slate before they code line 1. Some of the ways we do this include:
- Open source language distributions that are vulnerability patched, well-supported packages that are up-to-date and license checked to ensure against GPL/ LGPL/ AGPL code.
- Monitoring of open source packages for vulnerabilities, datedness and licensing from development throughout the software development lifecycle (SDLC), from dev through the CI/CD process and into production.
- A central dashboard where all stakeholders can get a “Bill of Materials” view for all applications currently running in order to understand the risk associated with each application.
And because all stakeholders can see all issues no matter where they occur in the (SDLC), it’s not just up to the developer to solve all the issues. For example:
- Compliance teams can investigate license issues
- InfoSec teams can resolve vulnerabilities
The idea here is to “shift left” without having to overload your developers.
View a 2-minute demo that may change your mind about how you currently secure your Python scripts, services and applications.