Shift left on Security

Published date: April 15, 2024, Version: 1.0

Overview

Shift left on security is a DevOps capability that integrates security considerations into the software development process in the earliest stages. Traditionally, security testing was only performed towards the end of the development cycle, after development and testing had been completed. Unfortunately, this approach often led to the discovery of significant issues that were expensive to fix and could delay project timelines.

Quick Links

On-Call and Support Incident and Problem Management Recommended MMR Application one-Pagers

Why Shift left on Security

By shifting security left, teams can identify potential issues much earlier in the development process and address them before they become costly problems. This involves making security considerations a part of everyone's daily work and integrating them into the software development lifecycle's design, development, testing, and release phases.
With shift left on security, developers and security experts work together to identify potential security vulnerabilities and architectural flaws at the outset of the assignment. They then design and deliver work in small batches throughout the development process, continuously testing and monitoring for security and design issues. By building security considerations into the product from the beginning, teams can reduce the likelihood of costly problems arising later in the development cycle.

DORA State of DevOps Program

Shift left on security also involves automating security testing and controls and integrating them into the deployment pipeline. This enables teams to generate evidence on demand demonstrating the effectiveness of their security controls and design decisions, which is helpful for auditors, assessors, and anyone involved in the development process. Ultimately, the Shift Left on security is a crucial capability that drives higher software delivery and organizational performance, as demonstrated by research from the DORA State of DevOps program.

 

Adoption expectations

System Components  MVP MVP+

Adopt static code analysis tools into CI process

+

+

Enable static code analysis as a quality gate

 

+

Include InfoSec team into design activities

 

+

 

Tools

Functionality Tool Name

Version Control System

Git

Initial Static Security Checks

SonarQube

Static Vulnerability Scanning

Veracode

 

Roles

Name  Responsibilities

  • Scrum Master/Team Coach

Encourage automation and shift left on security verifications

  • Solution Architect

  • System Architect

Include shared system security requirements into the significant architect requirements

  • Security Engineer

Identify and maintain system security requirements

  • Developer

  • Build Engineer

  • System Engineer

  • App Admin

Follow shared system security requirements on the level of application, configurations and infrastructure

Adopt automated security verification solutions in the delivery process

 

Related Tools

Azure Devops
Azure DevOps, is a set of development tools offered by Microsoft as a cloud-based platform for software development and DevOps practices. It provides ...
Confluence
Confluence is a collaboration and documentation tool developed by Atlassian. It provides teams with a centralized platform for creating, sharing, and ...
JIRA
JIRA is a popular project management and issue tracking tool developed by Atlassian. It is widely used for managing tasks, projects, and workflows in ...
BlazeMeter
BlazeMeter is a cloud-based performance testing and load testing platform designed for web and mobile applications. It is known for its scalability, e...

Contact Us

KnowledgePortalSupport@cantire.com

FAQs

Feedback & Suggestions