Maksim Kabakou - Fotolia
It is a long-held belief that security needs to become more prominent in the development lifecycle. Instilling this belief in the developer community, however, has proven to be rather challenging. Work has been ongoing from different angles to achieve the goal of secure development, but we still seem to have some way to go (although many organisations have made great strides so far and lessons can be learned, as our research has shown).
A combination of approaches is needed to realise secure application development. Implementing security tools to help assess the complied application code, review the libraries being used and carry out regular vulnerability scanning are among the options available to organisations. By adding in the right processes and the right people, who also need to be trained and operate in a culture that is supportive of “secure by design and development” thinking, organisations can start to see the benefits that secure application development can bring to the business.
The concept of shift left has been proven to be highly effective in supporting this ambition. If you think about application development as a timeline, this is about taking the security considerations and shifting them left towards to the beginning of that timeline so that they are incorporated at the earliest stage possible. This can be supported by getting security elements included in the non-functional requirements for the application, for example.
While shift left is useful and can improve security within application development, this is not enough when you consider the whole application lifecycle. This is where two other elements come into play, and they are complementary. They are shift right and DevOps, or more importantly DevSecOps. Shifting right is about taking security to the right of the application development timeline and, similarly, DevSecOps is about having security in all elements of the development process.
Paul Holland, Information Security Forum
Developers should recognise the importance of their role in the application’s success after development, including the importance of maintaining a secure environment for consumers. Having developers involved in the support of the applications they write helps them to understand the need for quality in their coding and effective management of defects.
For organisations that want to take things a step further in securing their application development, there is “shift everywhere”. Once you have mastered shifting left and right, the next logical step is to automate elements of development and support. This is to ensure they happen and to ensure consistency.
You can only shift everywhere once you have matured your development activities, and it is the most mature processes that are the likely initial candidates for automation. Automating your established processes and tools takes the logic of shifting and incorporates it into everything, hence the term shift everywhere.
Shifting everywhere provides multiple benefits, the main one being better developed applications that can be supported and updated by a team of experts. This also has the benefit of giving the product owner confidence that the application has been coded to a high level of quality and security, and even if there are problems the teams involved can fix the problems quickly. Consumers will also benefit, as they will have a better experience with a higher quality application and will be at less risk of an insecure application leaking their data.
With DevSecOps, the idea is to combine the three core elements – development, security and operations – into one team and one overall cohesive process, where all the team work on development, add in the security elements and then take on the ongoing maintenance of the operation of that application. This combined approach works well with shifting everywhere as well as left and right, so organisations that also use DevSecOps can gain greater benefit from shifting as well.