The Basics of Shift Left AppSec

by in CyberRes

Software developers know that the phrase “Shift Left” means testing (and preventing) defects earlier in the software development process. It’s a phrase that’s so ingrained, that it’s even trendy to say “Shift Left isn’t enough”. (Basically, the point of that is that testing needs to be automated, too.)

The Basics of Shift Left AppSec.pngRob Aragao, CISSP, is a Chief Security Strategist at Micro Focus. He recently shared his view of shift left in this great video on our Fortify Unplugged YouTube channel: Shift Left - Building Security into your SDLC. Here are some highlights:

Organizations have been evolving, whether it’s from waterfall to agile and now to DevOps. By now, most organizations are adopting if not completely following a DevOps program approach.

An infinity loop is typically depicted for DevOps. You don’t see security specifically called out, which is okay because what we want is security to be inherently baked in. There’s a split opinion about whether DevSecOps is even worth saying—in the long run, most people agree that security testing should just be a part of DevOps. This is a hallmark of cyber resilience culture, where organizations can prepare, respond, and recover when cyberattacks happen.

The ratio of developers to security champions is pretty high… we see 80:1 as a commonly quoted figure, but that ranges quite a bit from org to org. I recall a recent customer saying their ratio was 300:1.

That sets up a situation where QA is already testing for defects. Why not view security vulnerabilities as just another defect category? As Rob points out in his video, to achieve that, there are 3 key attributes an application security program must have: integration, automation, and agility.

Integration is all about making the developers’ world as seamless as possible with the tooling that supports application security testing and baking it in. It's embedding those tools within the IDE which allows it to call out and say ‘hey, by the way, you just unfortunately inserted this line of code that is actually including a SQL injection, a cross site script, or whatever vulnerability.’ And then tell the developer how to fix the issue.

Automation is about including security as part of the DevOps toolchains. This can occur in the IDE while coding, at the commit, build, and testing phases. This is a major emphasis of every AppSec program.

As for agility, we can summarize that as providing insight & results fast for relevant issues with suggested fixes. The developer wants to fix the code and move on. A benefit of this is developers learn to not repeat the same coding errors.

Rob’s presentation continues with insights on establishing an AppSec program and evolving capabilities to mature the program to achieve a true automated “Shift Left” security testing process.

If you’d rather read than watch a video (or both), also check out this Mature Your AppSec Program white paper. It’s a great follow-up to Rob’s video, and it provides some concrete strategies to mature your AppSec program based on your organization’s needs.

About Micro Focus Fortify

Fortify lets you build secure software fast with an application security platform that automates testing throughout the CI/CD pipeline to enable developers to quickly resolve issues. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premises or as a service, offering organizations the flexibility needed to build an end-to-end software security assurance program.

Looking to join an industry leader filled with passionate problem-solvers on a mission to help organizations protect their applications from the bad guys? Check out our open positions now.

Strengthen your cyber resilience. Protect across your identities, applications and data. Learn more about cyber resilience. Have technical questions about Fortify? Visit the Fortify Community. Keep up with the latest Tips & Info about Fortify. We’d love to hear your thoughts on this blog. Comment below. Or go to the Fortify Users Discussion Board to start a conversation.

Labels:

Application security
Anonymous