True ‘shift left and extend right’ security requires empowered developers

DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.

The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace the principles of collaboration and agility.

Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent. — Neil MacDonald, Gartner

In an ideal world, all developers would be trained and experienced in secure coding practices from front end to back end and be skilled in preventing everything from SQL injection to authorization framework exploits. Developers would also have all the information they need to make security-related decisions early in the design phase.

If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue.

Once again, the reality falls short of the ideal. While CI/CD automation has given developers ownership over the deployment of their code, those developers are still hampered by a lack of visibility into relevant information that would help them make better decisions before even sitting down to write code.

The entire concept of discovering and remediating vulnerabilities earlier in the development process is already, in some ways, out of date. A better approach is to provide developers with the information and training they need to prevent potential risks from becoming vulnerabilities in the first place.

Consider a developer that is assigned to add PII fields to an internet-facing API. The authorization controls in the cloud API gateway are critical to the security of the new feature. “Shifting left and extending right” doesn’t mean that a scanning tool or security architect should detect a security risk earlier in the process — it means that a developer should have all the context to prevent the vulnerability before it even happens. Continuous feedback is key to up-leveling the security knowledge of developers by orders of magnitude.

Security training is another example of how organizations are applying a “check the box” — instead of collaborative and contextual — mentality toward security and compliance. When vulnerabilities are found in code, there is often after-the-fact training to ensure that developers learn how to avoid the same error in the future. A better approach would be to understand the developer’s experience, skill set and what they are trying to accomplish in the context of the application from the technologies and frameworks used to the APIs.

If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue. The same thing applies to new languages, technologies and areas of the stack. Going even further, a contextual understanding of everything from the Jira ticket to production settings would allow organizations to provide the right training at the right time to the right people. That is what is needed to embrace the ideals of developer empowerment.

This approach to DevSecOps will fundamentally change the role of security architects/AppSec engineers in the organization in a good way. Instead of chasing, investigating and triaging vulnerability scan results, security architects can spend more of their time on strategic issues and continuous learning.

Their role will fundamentally shift to a quest for knowledge; to understand the latest security and compliance concerns, secure coding techniques and defensive practices. They will then spend more time teaching developers and disseminating their knowledge than chasing vulnerabilities, weaknesses and compliance violations. That knowledge transfer will become an essential part of DevSecOps and open a new avenue of collaboration between security and developers.

True “shift left and extend right” security goes beyond identifying vulnerabilities, weaknesses and compliance violations earlier in the process. It builds on DevOps “first principles” to add security to the development process seamlessly.

Empowering developers by giving them the right context and information at the right time is the only way to change how we do software development. This is a big change that requires buy-in from multiple areas across the organization, but the ones that do this successfully will be able to release code both faster and more securely — and have happier, more knowledgeable and better trained software development teams while they do it.