How shift left security and DevSecOps can protect the software supply chain  

Security shouldn’t be an afterthought. Releasing code filled with exploits and bugs is a recipe for disaster. This is why more and more organizations are looking to shift security left — to address vulnerabilities and exploits throughout the entire development lifecycle rather than at the end. 

For instance, in a GitLab survey, 57% of security team members said their organizations have either shifted security left or are planning to this year. 

Many have attempted to implement this approach through DevSecOps, with 42% teams practicing  DevSecOps, an approach integrating the operations of development security and operations teams throughout the development lifecycle. 

At its core, shifting left involves moving security testing from late in the software development lifecycle (SDLC) to early on during the design and development phase. This is gaining traction because developers automate and integrate security testing into development tools and CI/CD pipelines to get secure products to market faster. 

The mandate for continuous development 

One of the biggest challenges facing modern teams is the need for the continuous development of apps and services. Research shows that 31.3% of developers release once per week to once per month, while 27.3% release every month to six months, and 10.8% release multiple times per day. 

The demand for continuous development means that security is often forgotten in place of meeting deadlines, leading to apps being shipped with vulnerabilities. For instance, one study found that 74% of companies frequently or routinely release software with unaddressed vulnerabilities. 

Shift left approaches are helping address these challenges by embedding security early in the development process to address vulnerabilities as they emerge in code, before they have a chance to affect end users. 

“Shift left has helped with speed, because when security is included from the beginning, developers can proactively address security bugs from the start, reducing vulnerabilities and ultimately helping business increase in speed to market over time,” said Aaron Oh, risk and financial advisory managing director for DevSecOps at Deloitte.

“On the same note, by proactively addressing security bugs, the fixes do not require re-design and re-engineering, leading to cost reduction,” said Oh. 

Before and after 

Perhaps the biggest advantage of shift left security is that it eliminates the need for developers to run damage control on vulnerabilities post-release, which reduces the end-users exposure to threat actors. 

“In the old model, where security tests were run for the first right before the product was scheduled to be released, an inevitably a high or critical finding was identified that would de-rail the product release — or worse, the product is released with the vulnerable code putting the organization and their customers at risk,” said Forrester analyst Janet Worthington.

By implementing a DevSecOps style approach, an organization can avoid the need to generate tickets and patches for a bug or exploit after an app’s release. 

“Utilizing a shift left methodology prevents new security issues from being heaped onto the ever-growing mountain of technical debt,” said Worthington. “Developers can fix security issues before the code is merged to the main branch, the insecure code never makes it into the application and there is no security ticket to open.”

Worthington notes that shifting left services reduce the back and forth between security and development teams. 

Automating security tests throughout the SDLC enables developers to generate real-time feedback on security issues in the context of their code, alongside details on vulnerabilities and how to remediate them without a debate between security and development. 

How fixing vulnerabilities earlier increases cost-effectiveness

In the world of software development, time is money. Shift left security “is becoming increasingly important for CISOs and security leaders because it allows them to identify and address potential security vulnerabilities earlier in the development process, when they are typically easier and less costly to fix,” said Sashank Purighalla, founder and CEO at BOS Framework. 

The sooner a developer can pinpoint a vulnerability in an application, the sooner they can fix it before it causes an operational impact, which not only has a financial benefit but increases security as a whole. 

“Shifting security left can help organizations build more secure software by incorporating security best practices and testing into the development process, rather than relying solely on reactive measures such as penetration testing or incident response,” said Purighalla.  

In addition, “shifting left reduces the development iterations that go into retroactively fixing systemic security vulnerabilities found through gap analysis thereby greatly reducing the cost of building secure software/ doing it right the first time” sad Purighalla. 

When considering that the average time to patch a critical vulnerability is 60 days within the enterprise, addressing vulnerabilities during development is more efficient than waiting to fix them post release. 

From shifting left to shifting everywhere 

As more organizations look to shift left, they are taking a broader approach and beginning to shift everywhere, conducting security testing throughout the entire SDLC, from the left to right, from initial coding to production. 

“Out of the shift left movement, we have also witnessed a move to shifting everywhere,” said Ernie Bio, managing director at Forgepoint Capital. “This concept revolves around performing the right application security testing as soon as you can in the software development cycle, whether that’s on code, APIs, containerized apps, or other points.”

It’s worth noting that automation plays a critical role in making security testing possible and scalable throughout the SDLC.

“A great example of this is NowSecure, a company that helps mobile developers test code via an automated, highly scalable cloud platform that integrates into an organization’s CI/CD process,” said Bio. “As companies shift left and increasingly rely on third party vendors, ensuring these processes are safe and secure will be highly important for security leaders.”

Fundamentally, shifting everywhere is the recognition that developers can’t just leave software out in the wild once it’s released, but must have a process in place to patch and maintain publicly available software to secure the software supply chain and maintain the user experience.