The phrase “shift left” has become an oft-used enterprise technology buzzword. It refers to the agile software development methodology of moving security testing and controls earlier in the application lifecycle to detect vulnerabilities as soon as possible.
It’s great, right? But all the hype about shift left security misses a crucial point: The left has been rapidly disappearing. By continuing to talk about shift left as a model for the future, the industry has missed important realities about modern software development and how security needs to fit in.
To understand why the shift left concept has grown obsolete, think about how fast the software development life cycle (SLDC) has changed.
Not that long ago, the SLDC in most enterprises was defined by the sequential phases on the waterfall model – requirements gathering, design, implementation, testing, deployment, and maintenance, with the next stage beginning only after the previous one gets completed.
However, ever-increasing digitization demanded shorter development cycles with continuous delivery of new code. That gave rise to DevOps – the set of agile practices that combine development and IT operations to deliver applications and services faster than traditional methods.
DevSecOps emerged as an extension of DevOps as a way to address security earlier in the process, when applications are being created, rather than as a gatekeeper after they are designed and written.
Shifting left makes sense, the logic goes, because the earlier developers detect a vulnerability, it’s easier and cheaper to fix – by a factor of 10 times compared with dealing with it later in the cycle, according to a commonly quoted estimate.
This logic misses that there’s really no more “earlier” and “later.” There’s just “now.”
Although the strict linear approach of the waterfall model has fallen by the wayside, DevOps and other agile methods nevertheless still assume that software gets produced in sequential stages -- “sign, code, ship, and iterate” – they merely happen more quickly and often.
In fact, software development at more and more organizations moves practically at the speed of light, in one nearly continuous loop, with no separate stages. The line between pre-production and production, and every line in between, have practically vanished.
For example, my company has a large corporate customer that executes as many as 100 real-time A/B experiments of new code on its site every day. Which of those 100 should everyone move left to test, and when? It’s impossible to answer.
The “shift left” concept also places so much of the testing focus on application staging, when hacking actually happens after deployment. That doesn't mean security teams shouldn't test earlier – it’s critical to do pre-production continuous testing. I just find that from an attack perspective, what's live is what utterly matters most.
Rather than trying to find every vulnerability in pre-production, the industry should focus more on advancing a continuous/virtually real-time security strategy that can keep up with today’s hyper-fast development cycles.
I like the vision Gartner has described for truly effective DevSecOps in the current climate:
“The integration of security and compliance testing into emerging agile IT and DevOps development pipelines as seamlessly and transparently as possible, ideally without reducing the agility or speed of developers or requiring them to leave their development environment. Ideally, offerings provide security protection at runtime as well.”
To make this a reality, organizations should recognize what matters most – getting security information to software engineers with unprecedented speed. Velocity in security must become a guiding principle, and there are three vital ways to get there:
- Recognition that new vulnerabilities arise all the time and it takes speed to make an organization safer. The only way to get really fast identification and deployment cycles is to make the feedback loop really fast.
- Increased use of automated technology for continuous testing and analysis that enables faster development cycles.
- Cultural changes that carve out a role for security teams as enablers and educators instead of reviewers and blockers. Thanks to the automated technology, these pros can move away from finding and remediating specific individual vulnerabilities and get freed-up to team with a developer for real-time exploratory testing.
“Sunlight is the best of disinfectants,” as the saying goes. It’s also true in application security: The more information readily available across the organization, the better the protection. With the right technology and organizational approaches, enterprises can reach the state of continuous testing and integration of fixes that today’s world requires.
My company has another corporate customer that decided to make security information for 250 applications available to a large group of stakeholders across the company. This company asked itself: Is information about vulnerabilities something that very few people should have access to? Or, do we break the rules of least privileged access and make it available to as many people as possible so they can learn about it?
That’s the kind of thinking the industry needs to bake security into software development, not concepts like “shift left” that time has passed by.
Rickard Carlsson, co-founder and CEO, Detectify
