InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
To shift left successfully, security must first focus on aligning the culture and building great development partners. It must also track useful metrics, document expectations clearly and ensure developers receive the necessary training to ease the transition.
This piece explains some common shift left best practices and offers tips for ensuring the move goes smoothly.
The term “shift left” became popular over the past few years, but it is not a new concept. The understanding that it is cheaper to fix problems the earlier you are in a process has been around for decades within the application development arena. This
more recent push centers around giving developers the tools to quickly identify security issues and correct their code early in the development process.
When security initiatives are pushed onto other teams within the organization, those teams often perceive it as slowing them down. To be successful, then, security must gain partners and have a consistent message that centers on helping those partners
do their job. Take, for example, the perception of security being a roadblock for features. Instead of arguing it is a necessary roadblock, we recommend turning the conversation to:
Be sure to communicate the fact that security will work with them to procure and recommend tooling that helps developers write better code, faster and easier, while still meeting company expectations and objectives.
Security cannot sustain positive change by issuing demands and heavy-handed requirements. Developers must understand they are getting value from the changes proposed, or they will simply avoid doing anything you lay out. To shift left successfully, you
must convince partners and get them on board to integrate additional checks into the process.
One option to help with your message is to develop an ambassador or champion program for secure development practices. This entails finding developers within the various teams who have a passion for secure coding practices and who will echo the importance
of it through the software development lifecycle (SDLC). This can be done by asking for volunteers or offering application hacking workshops and looking for interested individuals.
We suggest incorporating these developers into the security design and decision process to establish a good-faith relationship. Having them involved in the input phase fosters trust and enables them to provide candid feedback on what can work within the
organization and what to avoid when implementing. These partners can also help when a decision about tooling or process is made and must be integrated into the SDLC.
Sometimes developers don’t understand why certain tools or processes are needed at all. If that is the case, show them the state of application security via internal assessments, third-party assessments or via a bug bounty program on the application.
Detailing the existing security defects provides a realistic picture of the issues and the need to address them.
Setting expectations for your developers is critically important. Documentation is one of the most valuable things you can do here, although it can also be the most time-consuming.
Your goal should be to give clear direction on what you expect developers to incorporate into their designs and codebase. Use clear, concise requirements that are easy to understand and apply to development work. This should also be integrated into a
knowledgebase tool, such as an internal wiki.
Consider incorporating typical coding samples that show how to securely configure common tasks, such as:
Telling a story of success requires showing where you came from in the form of metrics. Consider tracking metrics like:
By incorporating metrics early, you can send a message to management that either the security investments made are working or that adjustments are still needed to realize the actual value.
Once you have an agreed-on list of meaningful metrics, be sure to share them with all interested parties, including management, development teams, business unit leaders and security staff. This both lets people know how they are being measured and fosters
One primary way developers and security professionals integrate security checks is through automated tooling that helps ensure code conforms to security expectations. These include:
Both SAST and DAST should be accessible to developers so they can launch testing on a shared codebase. This may be more complex, given the distributed nature of the application and using a DAST tool. However, there are ways to deploy an environment for
testing, given specific cloud deployments. Options may include setting up a dedicated staging environment or allowing developers to spin up full environments.
Once you decide on the tooling and process adjustments, developers must be trained to understand and use these tools, particularly if they impact deployments. Ensure developers understand the reasons to use these tools and how to integrate them into their
development process effectively. You should also ensure these processes are well-documented within the maintained knowledgebase.
Taking on a shift left roadmap requires a strong partnership between security and development. To ensure success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
May 19, 2022
By IANS Faculty
Understand potential security risks for executives on social media. Find information on attack trends and guidelines to help identify potential attacks and keep both social media accounts and the organization secure.
May 17, 2022
Learn how to make progress with zero trust, including common zero trust use cases, success stories, tooling guidance and tips for effectiveness.
May 12, 2022
Gain an understanding of the role executives play in incident response (IR). Find guidance on key actions to take before, during and after a security incident.