Shifting left: DevSecOps a proactive approach to cyber

Short for development, security and operations, DevSecOps automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment and software delivery.

The core principles and practices of DevSecOps revolve around the idea of 'shifting security left,' meaning that security considerations are introduced as early as possible in the software development lifecycle (SDLC). This proactive stance ensures that security is not an afterthought but an integral part of the entire process.

This month, experts in the field share their perspectives with Cyber Magazine on why DevSecOps is essential, the concept of 'shifting left', the challenges organisations face, and recommendations for a smooth transition to a DevSecOps culture.

Integrating security into the DevOps lifecycle 

As explained by Amit Tailor, Director, System Engineering at Palo Alto Networks, one of the reasons for the urgency to integrate security in the DevOps lifecycle is reinforced by the escalating threats targeting Continuous Integration/Continuous Delivery (CI/CD) environments. “These pipelines are intrinsic to cloud-native software development, housing sensitive data and credentials,” he says. “Unfortunately, they often remain unnoticed by traditional AppSec teams, posing a considerable risk.” 

According to a threat report by Palo Alto’s Unit 42 team, the cloud is the dominant attack surface, with 80% of security exposures present in cloud environments compared to on-premise at 19%. “It also found that cloud-based IT infrastructure is always in a state of flux, changing by more than 20% across every industry every month, and as such, nearly 50% of high-risk, cloud-hosted exposures each month were a result of the constant change in cloud-hosted new services going online and old ones being replaced.”

To mitigate these risks, DevSecOps addresses this need by embedding security protocols directly within the DevOps process, rather than it being a separate entity handled at the end of the development cycle. “This,” Tailor explains, “ensures a proactive approach to security, where vulnerabilities can be detected and rectified early on, reducing the risk of security breaches and promoting faster, safer delivery of code.”

DevSecOps ensures that security remains a prominent consideration across the entire software development lifecycle, explains Paul Baird, Chief Technical Security Officer EMEA at Qualys, spanning from the initial development and testing phases to the final live deployment. 

“This approach involves facilitating the integration of secure software development processes, conducting thorough assessments of deployment environments to identify potential issues, and preemptively addressing these concerns before they can affect production,” he describes. “In essence, it promotes seamless cooperation among developers, IT operations, and security teams.”

The mantra of shifting security left

A fundamental principle of DevSecOps, the idea of ‘shifting left’ is the practice of moving security checks as early and often as possible.

“This is different to the traditional approach of developers building an application and then handing it off to operations and security teams, who are responsible for keeping it secure,” comments Sean Roth, Director, DevOps Solutions at Harness. “Instead, embracing shift left sees both security and development teams working together from the start to develop a product or application that is secure. This is crucial to avoid security being overlooked or forgotten about as the pace of development continues to accelerate.”

However, as Roth warns, this ‘shift left’ approach can create more work for developers if they aren’t given the right tools and support. “That’s because shifting left demands that developers learn security on top of everything they are already doing, which creates an unfair burden. Companies can alleviate this by ensuring development teams have solutions that automate security processes for them and ensure they have access to the right information at the right time, to prevent a breach of any protocols.”

Shifting left, Tailor explains, is about a change in culture, explaining that it’s about ensuring that security teams ‘are dotting the i's and crossing the t's from day one’.

“This is not just about catching issues early. It is about building a culture where security is a habit, not an afterthought,” he adds. “It fosters a sense of responsibility and ownership — a realisation that security is not someone else's job but a collective effort. It’s similar to an F1 racing team where the driver’s success depends on the grit of his entire team, from the constructors to the pit-crew mechanics. It's everyone's business and demands everyone's participation and coordination.”

Ensuring a smooth and effective shift left

With the clear benefits of a move to adopting DevSecOps, it is imperative for businesses to understand how to ensure a seamless and effective shift. This belief, Baird explains, is shared by security teams.

“Security teams don’t want to be blockers,” he explains. “They know how important new services or applications are to the business. At the same time, they are responsible for securing company data or ensuring compliance with regulations. So, they want to make sure that they don’t get in the way, but that rules are being followed.”

To make this shift work, it’s not about new tools. Instead, businesses should look at integrating security and best practices into existing tools that developers use every day. “This helps avoid that perception that security is in the way of developers moving quickly and building things,” he says. “Instead, we in security want to provide guide rails and best practices around that work, so that developers can build while being secure by default.”

As Tailor concludes, transitioning to a DevSecOps model should be a carefully planned and executed strategy. Fostering a collaborative culture that encourages open dialogue and shared responsibility between the development and security teams is key. 

“The ‘shift left’ approach should be embraced, wherein security is integrated into the early stages of the development lifecycle, fostering a proactive security mindset,” he says.