Shifting Security Left is a paradigm that encourages a proactive, rather than reactive – approach to security. The term is in reference to the software development or product lifecycle. It is common practice to develop a piece of software or a product, then at the end say, “OK, what do we need to do for security?”. Shifting security left means thinking about it at the beginning and at each stage. Consider:

1. A bug that is exploited after release may cost a company millions in fixing, PR fallout, and potential legal repercussions. That’s not even considering the impact on users.
2. A critical bug found but the security team just before release, might cost a company tens of thousands to patch the bug.
3. A critical bug found by an employee during a code review might cost a few hundred dollars to fix.
4. A developer who has a knowledge of common vulnerabilities and remediation might cost a company $5 as they add a couple of extra lines of code to prevent a potential bug.

Benefits

Efficiency

High-performing teams spend 50 percent less time remediating security issues than low-performing teams.

Reduced testing

As W. Edwards Deming says in his Fourteen Points for the Transformation of Management, “Cease dependence on inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.” In software development, there are at least these four activities: design, develop, test, and release. In a traditional software development cycle, testing (including security testing), happens after development is complete. This leads to lengthy testing and also reworking as bugs and vulnerabilities are found. Testing will still be required, but with security being inherent, there will naturally be less vulnerabilities to patch.

Security Matters

A major challenge of cyber security managers is getting the rest of the business to care about it. To get them to stop opening phishing emails, to get them to stop sharing customer credentials, to get them to stop sending unencrypted data. Moving security left sends a clear signal to staff that security is important, and that it is the responsibility of all staff to take it seriously and do their part.

Reflection

When security isn’t just an afterthought or box ticking process before deployment, when it’s an intrinsic property of the product – of the company – it creates good habits in staff, helping to build a security culture. This means users and their data is safer, and benefits the company, its customers and society more broadly as we develop more resilience to cyber attack.

References

DevOps tech: Shifting left on security: https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security 

2016 State of DevOps Report: https://services.google.com/fh/files/misc/state-of-devops-2016.pdf

DevOps Research and Assessment (DORA): https://services.google.com/fh/files/misc/state-of-devops-2016.pdf

Fourteen Points for the Transformation of Management: https://deming.org/explore/fourteen-points?apartner=aarp,