Software is first developed, then delivered, and finally managed. And only in the last phase, when software is already in use, is most attention paid to security.
At least, that is the traditional software cycle. The advance of DevOps already proved that it can be wise to look ahead to the next phase (management) during development. It is essential to take security seriously from the beginning of the development process. After all, software today is being developed and put into production quickly and agile, while security threats continue to grow.
That’s what a recent episode of our podcast Business Forward with IT is about, in which Michaël Hompus talks with Frank Thiele and Ingmar van der Steen on the topic of Shift Left Security.
Frank: “Traditionally, less attention is paid to security during software development. This need is growing as more and more organizations start working agile. Instead of large releases, which you can pen test just before going live, new functionality is delivered continuously. That does demand something of the security approach.”
Shift Left Security in practice
Shift Left Security means addressing security as early (left) as possible in the development process. The earlier security is considered, the more effective and cheaper it is. There are several techniques for putting Shift Left Security into practice, the experts explain.
Frank: “Threat modeling is a method of thinking already in the design phase about what an attacker might do to abuse your software. Even before you have built the software, you can think about where the inputs into your software will be. These so-called interfaces allow you to communicate with your software, such as a browser. If these interfaces are not properly secured, an attacker can perform unwanted actions or access data not intended for him. If you identify these interfaces early on, you can factor in securing them as you build them. This is much cheaper than securing them afterwards, when, for example, a successful attack has already been made by a hacker.”
Methods are also available during the development phase. “As a developer, you can look at the source code with critical security glasses,” Frank explains. “That’s also called a security code review; you try to identify security issues by reading the code and wondering how an attacker might exploit it.”
Another component of Shift Left Security in the build phase consists of automatic source code scans. “These are in addition to security code reviews and are performed by developers themselves. With these you potentially also discover other issues that are harder to find by humans. Furthermore, they also point you to vulnerable building blocks, and the use of third parties in your software.”
Champions
Shift Left Security is not just a matter of technology, says Ingmar: “Security has to become a standard part of the way of working in an organization. By means of training and education you ensure that all developers are security-aware and include this as standard in their way of working. You can also appoint so-called security champions, who have an above-average interest in security. These champions can inspire and teach other colleagues about security.”
The right balance
One possible risk is that security measures can come at the expense of agility, says Frank: “Ultimately, it’s always a trade-off between the risk, the impact on your organization if something goes wrong, and the investment you want to make in it. Because you can go very far with security, but at some point it can also come at the expense of usability. If the system becomes unusable and users start looking for detours, you also miss the mark. It’s ultimately about balance. How easily can a user get started with the system? You have to think about that, too.”
Finally, Shift Left Security does not mean that you don’t have to worry about security later in the process. Frank: “You have to keep paying attention to it even in later phases. Security is most powerful when you apply it everywhere, from start to finish.”