Shifting security left through collaboration

The concept of "shifting security to the left" is fundamental to modern software development. It means considering security as early as possible in the software development lifecycle and is essential for making security an integral part of software development rather than an afterthought. It is closely associated with the rise of DevSecOps, which emphasizes early and continuous security integration. This blog explores the significance of shifting security to the left and the role of collaboration in achieving this objective.

What does it mean to "shift left"?

In a typical development timeline, development activities are positioned on the left, and operations activities are on the right. The term "shift to the left" refers to moving security activities away from the operations phase and towards the development phase in the software development lifecycle. By shifting security tasks left, developers and security experts aim to address potential issues earlier in the process, avoiding the pain, cost and rework associated with finding security issues later in the development lifecycle.

When speaking about security, the activities reduced on the operations side are incident response and vulnerability management. These are supplemented with more proactive activities during development, such as static application security testing (SAST), dynamic application security testing (DAST), threat modeling and security architecture review. The target of this shift is to decrease the number of vulnerabilities in the software's code, thus reducing overhead for incident response and vulnerability management.

Apart from the obvious advantages of shifting security left—less work and stress for the previously mentioned teams—there are some less obvious advantages. For example, an operations team can focus more on suggesting and implementing improvements to the software, shifting these actions to the left as well. This may increase the effectiveness of the code, making the software more resilient and increasing its value to the customers. Potential customers will also be more interested in buying software designed with security in mind from the start. 

Many open source tools are available today to assist in secure development strategies. For example, Red Hat Product Security released RapiDAST, an open source project. Most of the tooling can be automated and integrated into a development workflow. Automation is important when shifting to the left so developers can continue to focus on their core job, which is developing software. 

Finding the right tools

Using the right tools is one of many crucial aspects of shifting to the left. Knowing how and when to use these tools is equally important. For instance, you can perform threat modeling at the end of the development process or just before the software goes into general availability to the public. However, the strength of threat modeling, which is identifying security problems early, will be lost since changing the software architecture to correct a problem will require many resources. The same applies to other security controls such as SAST and DAST. Using these security controls at the right time during the development lifecycle provides maximum benefit, as opposed to doing them randomly or towards the end.

Identifying the problem

The core of the problem and its solution reside in the fact that many organizations still tend to do security at the end, on the right side of the timescale, just before a release. Instead of integrating tools throughout the development, they are "sprinkled" over the (almost) final artifacts of the process. 

Stories circulate in the industry about situations where an engineering team comes to a security team and says: "Hey! We have this software, which we'll start selling next month. Could you do some SAST and DAST on it?" Security controls are then immediately integrated into the pipelines, which are re-run to generate the hopefully desired results. The closer a software is to general availability, the more challenging and potentially more expensive it gets to correct vulnerabilities and weaknesses. 

Implementing the solution

As security specialists, we must engage with the development teams as early as possible if we want them to place and use the right tools at the right time. Applying the solution is the hard part. It is the security specialists' obligation, privilege and chance to move company culture to the left. Secure development strategies are more about a mindset and a process than they are about tooling.

Breaking down silos

The historical separation and lack of collaboration between engineering and security departments is a common issue in many organizations. This separation could lead to inefficiencies, misunderstandings and missed opportunities to improve overall product quality and security. Such inefficiencies include:

• Lack of communication between engineering and security.
• Miscommunication about the complexity, schedules, and financial aspects of software development.
• Miscommunication about the importance of security issues.
• Constant "clarification" meetings with higher management as mediators.

To break the silos that engineering and security tend to operate in, a more open approach to collaboration and cooperation should be established. Facilitating and encouraging direct contacts horizontally and vertically across the organization is a good place to start. Placing decisions, independent of their impact on a team, product, or organization, for open discussion throughout the organization and giving every employee, regardless of their role, the chance to contribute, can help open up perspectives and establish a collaborative process.

The role of collaboration in shifting left 

Security specialists must make great efforts to follow the highest standards so that the software being developed is done so with a high level of security. Close contact with engineering teams allows the development lifecycle to start with security in mind at the concept phase.

Initial contact

Place significant energy and emphasis on increasing collaboration during the design phase and initial threat modeling. This early association benefits both teams. It helps the development team save time in future architectural changes, and security engineers start gaining knowledge of the software. The security team can propose the right security practices through more familiarity with the engineering team, the team's processes and the target outcome.

Regular communication

A dedicated communication channel for the security and engineering teams working on software invites all collaborators to an open and productive discussion on security. Enabling the security team to attend one or more of the engineering team's regularly scheduled meetings will deepen the collaboration even more.

Automation

The secure development lifecycle should be supported by automated tooling. In the coding phase, developers can start scanning their code for vulnerabilities. Once they have a minimum viable software prototype, they can also begin performing dynamic analysis to detect vulnerabilities at runtime. At the same time, different generated builds can be scanned for potential malware to detect possible attacks on various supply chains and to help software be delivered free of known vulnerabilities.

Sustaining collaboration

During all these different processes, the engineering teams should be in constant collaboration with the security team, discussing new changes in the code, possible attack vectors and the best countermeasures. Every software version must undergo a final security review before being released. This review must involve both teams meeting and openly discussing all the potential vulnerabilities and ways to mitigate them.

Such close communication during the software development lifecycle will help establish these activities as a long-term, repeatable process with close collaboration as its backbone. Although this communication enhances the product directly from the concept phase, it is not only limited to new development; it can also become part of the ongoing development lifecycle for products that have already shipped. This gives the engineering team the chance to improve the security posture of the software during the maintenance phase.

Wrap up

Collaboration between engineering and security teams is crucial for successfully implementing a more secure development lifecycle and achieving a "shift-left" approach to security. It enables proactive identification and mitigation of security risks, promotes a security-aware culture, and leads to more efficient and effective security practices throughout the software development process.