DevOps and the need for security to shift left 

Shift left testing is an increasingly popular approach to testing applications and software, where the testing is generally performed earlier in the development project timeline (hence ‘shifted left’) and is a fundamental aspect of the DevOps approach.

The rapid emergence of the DevOps movement has itself been driven by the exponential growth of the application economy, which has put a huge amount of pressure on development teams to hit shorter delivery deadlines.

However, the risk of moving too fast without the proper security process in place leaves an organisation open to applications with poor functionality, buggy software or security flaws that are all key things that impact heavily on an customer loyalty and retention.

This is where shift left testing becomes critical because it places the responsibility for testing software and ensuring the stability of applications to include the developers at the earliest feasible stage in the development process.

“Shift left” impacts the entire software lifecycle

This shift left in the approach to development and application testing has completely revolutionised the entire software lifecycle (SLC), which has moved from a silo-ed approach (in which development and operations were very much separated) to one in which these siloes are deliberately removed from the process.

One major issue with the more traditional ‘Waterfall’ approach to software development was the fact that at each handoff stage of the SLC process – from planning, development, quality assurance (QA) and operations – there would be vital knowledge gaps and issues that would never be fed back to the developers in a timely and efficient manner.

The growth and popularity of agile development helped to align overall business intent and the application knowledge, by bringing together the developers, product owners and QA onto the same team.

Yet even then, it was still somebody else’s ‘job’ to operate and test the software out in the wild. Hence the more recent growth of DevOps and, more specifically, DevSecOps, which promotes and supports a real continuing across the spectrum – and shifts the responsibility for what is written and deployed to the whole team across the entire SLC.

When developers and operations people both feel a heightened responsibility for delivering clean code and stable, secure applications then the overall result is far lower waste, much fewer errors through automation and a much better understanding all around of the needs and demands on all teams across the SLC.

Four top tips for DevOps to shift security left

Security has, unfortunately, been something of a latecomer to the ‘shift left’ party, though this situation is changing following the growth in high-profile application-related data breaches and cyber attacks over the last few years.

The good news is that security is now seen as something that is integral to the development process and not simply an inconvenient bottleneck that’s bolted on near to the end of the process.

By shifting security testing left all members of the DevOps team will be more encouraged to do everything they collectively can to make their software safer and more secure.

But how do DevOps teams ensure that security is integrated across the entire SDLC from the outset?

Here are our four top tips:

  1. Integrate application security into your development tools

Integrate security assessments with your current development tools and use ticketing systems that automatically test code and coordinate remediation.

  1. Nominate security champions

Nominate certain developers with an interest in security as security champions to promote the security message on a peer-to-peer level.

  1. Extend application security into production

A well-engineered application security solution must enable closed-loop feedback from production. Security doesn’t stop at deployment.

  1. Provide full operational visibility

DevSecOps promotes team autonomy, gives all teams full visibility to measure and assess teams for security compliance and risk.

Promoting DevSecOps across the business

Overall, in order to encourage and promote an efficient, secure and safe DevSecOps culture throughout your organisation, you need to ensure that everybody feels responsible for digital security.

This is achieved by communicating the goal of producing secure applications to all teams, from planning through to development, QA and operations.

Digital security is becoming a must-have element in any new business application or software updates. Don’t risk making it an afterthought!

Written by Paul Farrington, Director, EMEA Solution Architects at CA Veracode