For years, security professionals, including myself, have advocated for security to be part of the development process. Recently, development has been undergoing a big shift “to the left” so that security is part of a more integrated process in development. You may be aware of this change as DevOps. DevOps means that development and operations, the team responsible for deployment and management, work closely together rather than having cold hand-offs. One of the ways this works is by automating as much as possible, including building, packaging, testing and deployment. The integration came at an opportune time when shifts in software development started in the late 1990s, now called Agile.
What is Agile?
Agile is about rapid development that produces a releasable product at the end of each iteration. Most importantly, Agile is about focusing on customer needs and not big, over-developed software. DevOps provides the ability to take the idea of Agile several steps further. Beyond just having a product that the customer can use, DevOps opens the door to deployment and delivery. As more applications and functions become enabled through web technologies, there are more frequent deployments that the customer can use. Pinterest, as an example, deploys up to 50 times a day to their platform.
Where Security Comes In
You may be wondering where exactly the security comes in here. Security professionals may be concerned about what DevOps means for them. As it is, when a development process is complete, security gets tossed a product to do testing and assessment. How bad could that be if development and deployment is happening at least once every couple of weeks? Fortunately, there are answers to this question and the good news is, it helps from a security perspective, and this is where “shifting left” comes in.
When we talk about “shifting left,” we mean that we are pushing things earlier into development process. Like the operations team, the security team can provide their needs and requirements to development early on. This can mean ensuring that security tests are built into the test automation. It should also mean that security is working closely with developers so developers understand what secure development looks like — appropriate practices and frameworks, for instance.
Implications for the Customer
If security and its requirements are incorporated earlier in the process and security professionals become a more prominent stakeholder, the customer benefits. Each development cycle has to factor in security and if there is anything required of the security team, they get tasks just like any of the developers or operations staff. This may include changes to intrusion detection systems, firewalls or web application firewalls if it’s a web application being developed.
An enormous advantage to regular deployments is the time to repair shrinks. If development teams are releasing even every two weeks, customers have a better chance of getting updates that fix security issues much faster. This helps the company and it helps the customer. It is a win-win.
Similarly, if processes are automated, the security team is in an even better position because there is less chance of human error that may result from botched installs or configurations. Security work has its benefits in this instance.
In the end, the blend of DevOps with Security, now referred to as DevSecOps, has enormous potential to improve application security. If you aren’t looking into it for your teams, you should be. Move security left!