What does it mean for security to shift left?
Shifting left means that your organization does its best to avoid issues before they occur. It means being proactive instead of reactive and addressing issues and risks as soon as they are identified, rather than kicking the can down the road.
This principle is especially relevant and has been adopted throughout the DevSecOps process. Security has historically been one of those non-functional requirements that organizations would forget. But by making it a core requirement throughout a business process and building it into an organization’s cultural fabric, it gets shifted towards the left in the development lifecycle.
With GDPR having come into effect in May of 2017 businesses are now required to report the breach and held accountable by law.
The first of these was when British Airways was fined 138 million GBP due to a data breach. Similarly, we’re just a month away from the California Consumer Privacy Act (CCPA), which will take effect on January 1st 2020. Under CCPA, a data breach involving a Californian resident can cost you from $100 to $750 per record and that’s not accounting for if the actual damages are higher, in which case determines the fine.
IT teams, particularly developers need to be aware that data breaches can stem from vulnerabilities hidden within code, and if spotted early enough it can prevent hackers from exploiting them and save significant time and money from ‘technical debt’ down the line. Its time organizations give their developers accountability for security. But how can development managers turn developers into security champions and change the culture?
The importance of code review in the Software Development Lifecycle (SDLC)
Spending time doing code/peer reviews can often appear to slow down development progress. Therefore, some teams are reluctant to do them, or they simply rubber-stamp pull requests. However, its time well spent and is extremely important if you are serious about improving security and minimizing defects in your code. On top of that, it allows your development team members to learn from each other’s strengths and their mistakes. This could be seen as security training by osmosis.
It costs companies a lot more money to fix a defect once it’s in production than to catch it during development. The money saved from this outweighs the extra time to perform code reviews many times over. It’s important to ensure that feedback is given and received throughout all stages of the development process. Making developers more accountable and putting the feedback closer to where mistakes are made, it drives a culture where individuals become more security aware and take ownership of the consequences if a breach were to happen.
How does security training fit into your shift left strategy?
By training your team in security best practices, you empower the whole team and protect your bottom line from the start. You empower them in a skill that many consider to be essentially black magic. Implementing a safe code culture and creating a security training program means developers take more responsibility and feel a greater sense of mastery and feel more challenged. This is a drastic difference from the traditional feedback loop where a penetration test report lands on their desk every so often and they must explain to themselves why flaws exist. A rather demotivating feedback loop that everybody hates, which is more costly and less efficient. If developers can take time out to train in safe code practices in an interactive and fun environment, it’ll help upskill your workforce and encourages them to become a secure code warrior and advocate for your business.
We all know how inherently competitive developers are, so by adding a gamification element to training allows them to benchmark their performance, including real-life hacking scenarios to encourage them to get involved and receive the optimum benefits. The team feel more engaged as they compare their performance to their peers by tracking their scores on an interactive leaderboard. Better still, industry specific security training for gaming, finance and banking are now available to make it even more relevant.
No matter how your organization chooses to tackle security issues, a reactive approach will no longer cut it in the current threat landscape. In the best case, those who do not take the time to devise an effective shift left strategy will be left behind and lose their advantage in an environment where security has become a competitive differentiator. In the worst case, it could become an existential threat if there is a failure to put any effort towards it.
Implementing developer training alongside a robust application security testing solution is the foundation for high-functioning DevSecOps. It could help boost your resources and create greater value as staff feel more invested and motivated to promote security best practice. By giving them the tools to ‘self-start’ means you’re less likely to be hacked and have a harmonious workforce who all consider security a top priority.
Adversary, headquartered in Reykjavik, Iceland, builds an online, hands-on cybersecurity training platform for development teams. Adversary helps companies minimize the risk of being hacked by equipping them with the knowledge needed to avoid costly attacks before they happen. The platform puts trainees in the shoes of the hacker as they complete training missions, earn points, and advance to harder missions. This hands-on approach to training teaches IT professionals about why vulnerabilities such as OWASP top 10 arise and how to avoid them from occurring at all.