ALTERNATE UNIVERSE DEV

Code Patrol

Shift Smart: It’s not about shoving security into DevOps

There’s been an ongoing trend to shift left in software development, to shift security testing to earlier in the development process. The rationale: The earlier in the software development life cycle that you find and eliminate the risk, the lower the cost to fix the issues and the shorter the time that your application is exposed. Although it still makes sense in some situations, there’s been pushback about blindly shifting left: It's become clear that there are right ways and wrong ways to do it. 

In this Code Patrol episode, we asked two Application Security (AppSec) experts what happens when you shift left at the wrong time, at the wrong place in the development life cycle, and/or without getting communications ironed out.  

Contrast Security Chief Technology Officer and Co-Founder Jeff Williams dives into the details with Chris Hughes, Chief Information Security Officer and Co-Founder of Aquia, a Service-Disabled, Veteran-Owned Small Business specializing in cloud and cybersecurity professional services. They drill down into how DevSecOps isn’t about shoving a tool into a pipeline. Rather, it’s about transforming the nitty-gritty work of security, which is still composed of big, monolithic tasks — such as pen testing — that are simply overwhelming. A big part of that transformation: breaking down departmental silos as you overhaul the culture. Their hope: That organizations will ease off the shift-left-or-die approach and instead adopt a new concept called Shift Smart: an approach that’s all about doing security at the point in the software development process when it makes the most sense, which might not be exactly the same for every kind of security role. “It might be different for checking encryption versus checking input validation or back-in connections or whatever,” Jeff says. Shift Smart is about doing security when it's the most cost-effective. Have a listen to hear about the techniques to do that.

Episode source