DevSecOps: Moving from “shift left” to “born left”
Shift left DevSecOps has become a hip term of late. Coders have long known what it means. But it is slowly moving into the broader IT lexicon and, from there, seeping into society. Shift left is about moving testing, quality and performance evaluation far earlier in development. Some say it should enter the planning stages before a single line of code is written.
In the security arena, shifting left introduces security best practices during the development process. No more building apps and then adding security safeguards after the fact. Instead, developers are encouraged to add them as they develop.
The business benefits of shift left include lowered costs due to fewer failed projects and shorter time to market. It narrows the eternal gulf between user requirements and the delivered software. The most significant value, though, is that by incorporating DevSecOps practices, protection is baked into applications. No wonder pay index studies by Foote Partners list DevSecOps among those in highest demand.
11 courses, 8+ hours of training
Born left versus shift left
While it has since been firmly established as a development philosophy, Shift Left is evolving once again. The term implies moving from later in the development pipeline as early as you can to discover information about the code vulnerabilities before the application hits production. The earlier such issues are caught, the faster and cheaper it is to fix things.
Dr. David Melamed is the CTO and co-founder of Jit, a continuous security platform for developers, advocates the born left concept, i.e., instead of trying to move left towards the beginning of the development pipeline, you start at code inception.
“Born left means running tools inside the CI/CD pipeline and even using a plugin to get immediate alerts while you’re working on code to address bugs and security issues,” said Melamed on a recent Cyber Work Podcast.
There is a challenge to address, however. Those picking the tools to embed are usually often within the AppSec team. This can lead to developer frustration and friction. In essence, the AppSec team can sometimes slow things down due to security concerns in what should be a rapid-fire development pipeline.
Automation and DevSecOps
The purest implementation of Born Left would entail shifting the ownership of security onto the engineering team via automation and embedded security tools. All aspects of security become embedded in the software development life cycle at every step along the development process. This enables developers to treat security like any other software bug instead of being slowed down by persistent interruptions from AppSec.
Thus, security is present from the first line of code. At the same time, developers have the opportunity to pick and choose the tools they prefer to detect and automate fixes. This should all take place without them having to open a different app to analyze their code or yet another to fix things. Complete integration into the CI/CD pipeline is vital.
Maintaining the quality of security oversight
Automation is great for many things. But if you rely too much on it, the quality of observation can sometimes drop, and things are missed. Think, for example, about those robotic vacuum cleaners you see rolling around on floors. The human eyes and hands are still needed to find and clean the nooks and crannies they miss.
Fortunately, the automated security tools built into the development pipeline are of relatively high quality. They will miss things or misinterpret data; skilled human supervision and review will remain essential. That said, having one platform that orchestrates all the required tools behind a single pane of glass will likely enhance the overall level of security incorporated into code and lower the risk of missing security holes. This adds consistency to the development process and lessens the load on the developer.
As coders are not necessarily security experts, automated and orchestrated tools enable them to create secure code much faster. Ideally, developers would also be given suggestions on fixing any security challenges detected. In some cases, they might apply the fix themselves. For more complex challenges, they can tap into the expertise of a security specialist.
The end of AppSec
Does the born left movement signal the beginning of the end for AppSec specialists? Will DevSecOps become obsolete as the security is provided automatically within the DevOps process? Melamed believes not. Instead of rolling security personnel out of a job, the engineering process is made more efficient, increasing the application output velocity.
"I believe that in the future, no one in their right mind will start a new project without introducing security from day one," said Melamed. "When you want to deploy some code using CI/CD, there will be the tools in production in the CI/CD pipeline from day one."
Education is vital to staying current
The Shift Left movement is gathering momentum. And now we have the Born Left philosophy emerging. No doubt, both will play a role in the future. Therefore, anyone entering the cybersecurity field and those who have been part of it for years are advised to continue to educate themselves on how the field is evolving.
In particular, those making a career out of AppSec and DevSecOps should stay current so that they arm themselves with the tools and technologies that will help them to navigate the changing waters of coding in security.
For more, watch the full Cyber Work Podcast, Moving from “shift left” to “born left.”