Shift Left on Security


Matthew Henry

Next on our journey to Accelerate the organization? Security.  Imagine that, thinking about security up front will allow your organization to accelerate the building and scaling of applications.

We need to “shift left” on security.  To “shift left” means to move something that is normally done later in a process to moving it up earlier in the process.  In a timeline that goes left to right, we “shift left” or move it earlier in the timeline.

But what does that really mean we we are talking about security?

By shifting security to the left we are bring it in during the design and architecture of the application/system that we are building.  Instead of asking after the fact what security protocols we should be following we ask before we build so that we can build with those protocols in mind.

We’ve all seen the chart / heard the story about how it is less expensive to fix a bug early in the life cycle of an application than later.

Think of security problems just like they are bugs.  And like every bug, they are cheaper and easier to fix the sooner they can be addressed.  And, to be honest, it’s not rocket science to incorporate security best practices from the beginning.  It will probably mean talking to the security people before you build or even reviewing the current security best practices and incorporating them into your development process.

What it does, however, is that it forces you to think of things differently.  instead of a developer or an end user, you think in terms of hackers and bad guys.  Instead of trying to let authorized users look at what they need to, you think in terms of preventing unauthorized users from looking at what they want.  You shift things around in your brain until you are looking at all angles of a solution and not just a single viewpoint.

People have altered the DevOps phrase to include Security so that it now looks like DevSecOps.  I think that’s just the security guys feeling left out.  In my mind if you are developing the way you are supposed to, you are automatically including secure coding practices within the development stream.  There is no need to add “Sec”, otherwise everyone will start claiming their three letters of fame:  DevSecBRMOps or DevSecBRMPMPOps or …  You see where I’m going?

Security needs to be an integrated part of the development process so that it doesn’t seem like you’re doing security, you just are.

It’s as simple as that.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.