Understanding and Embracing Shift Left


When I was at a Gartner conference last June, I was asked by a gentleman who quietly asked me “hey, that shift left thing the presenter kept mentioning – what does that mean?” Goes to show that not everyone is up on the latest terms in our rapidly changing industry. That said, I’m writing this blog to clearly identify what “shift left” is, how it can benefit your organization and how it can be implemented in a practical manner.
What is Shift Left?
Shift left is a development strategy that emphasizes the importance of testing and quality assurance (QA) earlier in the software development life cycle (SDLC). The term originates from the idea of moving these critical processes “left” on the project timeline, which implies that they occur earlier rather than later. By incorporating testing and QA into the development process from the beginning, teams can identify and address issues sooner, leading to a more efficient and higher quality end product.
Below is a graphic from the Cloud Security Alliance Guidance v4. In it, they show the steps to building security software. Notice how security is a consideration way earlier in the steps? Like trained workforce early in the steps? This is “shifting left” in action.
Let’s take a few moments to understand some of the major points in the graphic:
Secure Coding Practices
Secure coding practices are setting a security mindset in development teams by establishing a set of guidelines, techniques, and best practices aimed at improving the security and reliability of software by reducing vulnerabilities and potential risks. By adhering to secure coding practices, developers can create software that is more resilient to attacks and helps protect user data and system integrity. Some key secure coding practices include:
Input Validation
Always validate user input to ensure it meets the expected format, length, and type. This helps prevent injection attacks, such as SQL injection and cross-site scripting (XSS), where attackers can inject malicious code into the application through user input fields.
Output Encoding
Encode output data to ensure that any potentially harmful characters are neutralized before being displayed or processed. This can prevent XSS attacks and other code injection vulnerabilities.
Least Privilege
Limit the permissions and access levels of user accounts, applications, and processes to the minimum required to perform their intended tasks. This reduces the potential impact of a compromised account or application.
Secure Password Storage
Store user passwords securely, using strong hashing algorithms and salt to protect against brute force and dictionary attacks. Never store passwords in plain text.
Secure Communication
Use encryption, such as TLS (Transport Layer Security), to protect data transmitted between the client and server. This helps prevent data interception and man-in-the-middle attacks.
Error Handling and Logging
Implement proper error handling to avoid exposing sensitive information to attackers. Logs should be detailed enough to provide useful information for debugging and incident response, but should not contain sensitive data like passwords or personally identifiable information (PII).
Patch Management
Regularly update and patch software components, libraries, and frameworks used in your application to address known security vulnerabilities.
Code Reviews
Conduct regular code reviews to identify potential security issues and ensure adherence to secure coding practices. This can help detect vulnerabilities early in the development process.
Secure Session Management
Implement secure session management techniques, such as using secure cookies, setting appropriate timeout periods, and employing session regeneration to reduce the risk of session hijacking.
Security Training
Provide developers with regular security training to stay informed about the latest threats, vulnerabilities, and secure coding practices. This helps build a security-aware culture within the development team.
Code Standards
Code standards are a set of rules and best practices that govern the style, structure, and organization of source code in a programming language. These standards aim to improve the readability, maintainability, and consistency of the codebase, making it easier for developers to understand, modify, and collaborate on the code. Code standards typically cover various aspects of coding, such as naming conventions, indentation, formatting, comments, error handling, and more.
Some of the key components of code standards include:
Naming Conventions
Naming Conventions are rules for naming variables, functions, classes, and other code elements, which help convey their purpose and make the code more self-explanatory. For example, using camelCase for variable names or PascalCase for class names.
Indentation and Formatting
Guidelines for indentation (e.g., tabs or spaces (cue Silicon Valley “tab vs 4 spaces” ongoing joke)), line breaks, and spacing to maintain a consistent visual structure throughout the codebase, making it easier to read and understand.
Comments and Documentation
Recommendations for writing clear and concise comments and documentation that explain the purpose, functionality, and usage of code elements, facilitating better understanding and collaboration among team members.
Code Structure and Organization
Guidelines for organizing code into logical components, such as functions, classes, and modules, to promote modularity, reusability, and maintainability.
Error Handling
Best practices for handling errors and exceptions, ensuring that the code is robust and can gracefully recover from unexpected situations.
Code Reusability
Encouraging the use of reusable components, functions, and libraries to reduce redundancy and promote efficient code maintenance.
Security
Adherence to secure coding practices to minimize vulnerabilities and protect the application from potential security risks.
Code standards can be language-specific, organization-specific, or project-specific. Many programming languages and communities have their own widely-accepted code standards, such as PEP 8 for Python, Google’s Java Style Guide for Java, or Airbnb’s JavaScript Style Guide for JavaScript. Organizations and development teams can also create their own custom code standards based on their specific needs and preferences.
Enforcing code standards can be facilitated through the use of linters and code formatters, which are tools that automatically analyze and format code based on a set of predefined rules. Incorporating these tools into your development workflow can help maintain a consistent codebase and reduce the time spent on code reviews and maintenance.
Threat Models
The CSA Guidance doesn’t actually get into threat modelling too much. Basically, they mention the STRIDE threat model and don’t address it. That said, it’s likely not a big deal for the CCSK exam. The CCSP on the other hand does go into threat modelling and presents a few different threat modelling approaches.
STRIDE
STRIDE is a threat modeling approach developed by Microsoft, and it is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. STRIDE focuses on categorizing threats based on these six categories, providing a systematic way to identify and analyze potential threats in an application. Adam Shostack (a key developer of the STRIDE model while at Microsoft) wrote an excellent book on the subject. It’s aptly called “Threat Modeling: Designing for Security”
PASTA (Process for Attack Simulation and Threat Analysis):
PASTA is a risk-centric, seven-step methodology that aims to provide a comprehensive and structured approach to threat modeling. The steps include defining objectives, defining technical scope, application decomposition, threat identification, vulnerability analysis, attack modeling, and risk analysis. PASTA emphasizes aligning security measures with business objectives and covers the entire process, from threat identification to risk mitigation.
ATASM (Architecture, Threats, Attack Surfaces and Mitigations)
ATASM is essentially understanding the structure of a system (aka the Architecture part of ATASM). From there, you identify threats against the system including attacker goals and typical attack patterns (MITRE ATT&CK is good for this). Next comes identification of Attack Surfaces. Then finally, apply security controls (Mitigations).
Now that we’ve covered off the main activities that “Shift Left”, let’s look at the benefits of doing so.
Benefits of Shift Left:
Improved Quality
By addressing potential issues early, shift left ensures that software is developed with fewer defects. This results in a more robust and reliable product, leading to increased customer satisfaction.
Reduced Time to Market
I understand the urge to rush to market by addressing security at the right-edge, but that is a proven way to ultimately spend more time fixing security issues than identifying them before the application is built. Detecting and resolving issues early in the development cycle helps reduce the time it takes to release a product. This enables organizations to deliver new features and improvements to their customers more quickly.
Cost Savings
Identifying and fixing issues during the early stages of development is often less expensive than addressing them later. This can lead to significant cost savings over the long term.
Better Collaboration
The shift left approach fosters collaboration among development, QA, and operations teams by encouraging them to work together from the beginning of a project. This enhances communication and understanding across teams, resulting in a smoother development process.
Implementing Shift Left:
Integrate Testing and QA from the Start
Ensure that testing and QA are part of the development process from day one. This may involve embedding QA professionals within development teams, providing developers with testing tools, or adopting a test-driven development (TDD) approach.
Automate Testing
Automated testing tools can help streamline the testing process and enable developers to identify and address issues quickly. Look for opportunities to automate repetitive or time-consuming testing tasks, and invest in tools and technologies that support this effort.
Continuous Integration and Continuous Delivery (CI/CD)
Implement a CI/CD pipeline to automatically build, test, and deploy your code. This enables rapid feedback and faster issue resolution, ensuring that your product is always in a releasable state.
Encourage a Culture of Quality
Instill a mindset of quality and accountability among team members by promoting the importance of testing and QA at every stage of the development process. This can be achieved through training, team workshops, or by establishing quality metrics that everyone is responsible for meeting.
Collaborative Tooling
Use tools that facilitate collaboration and communication among development, QA, and operations teams. This might include issue trackers, project management software, or chat platforms that enable real-time communication.
Training Options For a Shift Left Culture
For training on application security and cybersecurity in general, we offer the following solutions to increase staff knowledge of security issues and instill a culture of security.
Certified Secure Software Lifecycle Professional (CSSLP)
From the ISC2 CSSLP exam Outline:
The Certified Secure Software Lifecycle Professional (CSSLP) validates that software professionals have the
expertise to incorporate security practices – authentication, authorization and auditing – into each phase
of the software development lifecycle (SDLC), from software design and implementation to testing and
deployment.
The broad spectrum of topics included in the CSSLP Common Body of Knowledge (CBK®) ensure its relevancy
across all disciplines in the field of information security. Successful candidates are competent in the following
eight domains:
• Secure Software Concepts
• Secure Software Requirements
• Secure Software Architecture and Design
• Secure Software Implementation
• Secure Software Testing
• Secure Software Lifecycle Management
• Secure Software Deployment, Operations, Maintenance
• Secure Software Supply Chain
Looking for CSSLP Training for yourself and your staff? Learn more about the course and check out our schedule!
Certified Cloud Security Professional (CCSP)
From the ISC2 CCSP Exam Outline:
(ISC)² developed the Certified Cloud Security Professional (CCSP) credential to ensure that cloud security professionals have the required knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing environment and demonstrates competence in cloud security architecture, design, operations, and service orchestration. This professional competence is measured against a globally recognized body of knowledge.
The topics included in the CCSP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of cloud security. Successful candidates are competent in the following six domains:
- Cloud Concepts, Architecture and Design
- Cloud Data Security
- Cloud Platform & Infrastructure Security
- Cloud Application Security
- Cloud Security Operations
- Legal, Risk and Compliance
Looking for CCSP Training for yourself and your staff? Learn more about the course and check out our schedule!
CISSP
From the ISC2 CISSP Exam Outline:
The Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market. CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
The broad spectrum of topics included in the CISSP Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following eight domains:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
Looking for CISSP Training for yourself and your staff? Learn more about the course and check out our schedule!
Certificate of Cloud Security Knowledge (CCSK)
From the CSA CCSK Website:
Earning the CCSK will provide you with the knowledge to effectively develop a holistic cloud security program relative to globally accepted standards. It covers key areas, including best practices for IAM, cloud incident response, application security, data encryption, SecaaS, securing emerging technologies, and more.
Looking for CCSK Training for yourself and your staff? Learn more about the course and check out our schedule!
Conclusion
Hopefully you now understand the meaning of shift left approach to application development. You also saw the benefits of doing so and a high-level view of implementing for future success. Application security is extremely important and simply buying tools won’t address the root cause which is systemic failure.