What is Shift Left Security?
The traditional software development process consists of four main stages—design, development, testing, and release to production. It means testing occurs after the development is already complete. Fixing architectural flaws and security issues at this stage is expensive and time-consuming and can push out the delivery date.
The testing stage provides insights into flaws. Next, developers search for the contributing factors and ways to fix the issue. Usually, a defect is caused by a series of factors rather than one. Unfortunately, fixing factors related to security, availability, and performance is highly expensive because they typically require architectural changes.
Instead of testing for security issues (and other issues) at the end of the cycle, you can integrate security at each stage of the continuous integration / continuous delivery (CI/CD) pipeline—from design and planning through to testing, UAT, and production. Shifting security left is proven to improve security for software projects and reduce the cost of remediating security issues.
You can shift left by integrating security controls and testing into the daily workflow of all roles, including developers, testers, and IT ops. To ensure efficiency and productivity, you should automate as many of these tasks and integrate them into your pipeline.
Shift Left Security Tools
Here are a few tools that can help you automate security processes and integrate them into earlier stages of your development process.
Static application security testing (SAST) technology analyzes source code to find security weaknesses and vulnerabilities. SAST is a white box technique that helps shift security left by finding flaws in the source code early in the development lifecycle, ensuring developers can fix these issues before releasing the final program into production.
SAST tools analyze your application from the inside, examining not only source code but also byte code and binaries while the application is inactive. Since SAST scans do not require a working application or running code, you can apply it early in the development lifecycle. As a result, developers get feedback as they code the application and can fix issues as they arise.
To ensure you catch vulnerabilities during development, you need to use SAST scans consistently, on a daily or monthly basis.
Dynamic application security testing (DAST) tools analyze a web application in runtime to identify security weaknesses and vulnerabilities. DAST is a black box technique that helps find flaws in running programs without inside access to the source code. It helps shift security left by crawling the application during and after development to detect flaws.
You can apply DAST testing once the application advances past early stages and enters into runtime or production. DAST tools examine the application while it is working, attempting to attack it like a threat actor. A DAST test provides insights into application behavior, helping identify likely attack entry points and eliminate these threats.
DAST tools continuously scan web applications during and after development, typically crawling through the app before scanning it. This tool tries to first find all exposed inputs on pages in the application and then test each one. The test’s output includes identified vulnerabilities likely to be exploited by external actors.
DAST tools typically test only exposed HTML and HTTP interfaces of your web-enabled apps. However, you can also find tools that test non-web protocols and data malformation, such as session initiation protocols (SIP) and remote procedure calls (RPC). A DAST tool can also employ a fault injection technique, such as malware injection, to identify threats like SQL injection (SQLi) and cross-site scripting (XSS).
Zero-trust network access (ZTNA) solutions and services decouple access to the network and access to resources. They create context-based and identity-based access control, hiding resources from discovery.
ZTNA solutions provide access via authentication to a trust broker that acts as a mediator between each specific application and authorized user. The trust broker offers centralized control and management. You can deploy this broker in data centers as an appliance or software or use a cloud-based managed service.
ZTNA eliminates the separation between private clouds, VPNs, and SaaS applications by unifying access to applications. It offers centralized control and capabilities to provide users only with appropriate access specific to their devices, times of use, and locations.
Another advantage of ZTNA is that it provides secure access for IoT devices. ZTNA solutions can detect anomalous behavior, like attempted access to restricted information, unusual time-of-day access, and abnormal amounts of data downloads.
Runtime application self-protection (RASP) technology runs on a server and starts working whenever an application starts running. It helps shift security left by detecting attacks on applications in real-time. RASP continuously monitors the application’s behavior, identifies attacks, and immediately mitigates it without human intervention.
Once the application starts running, RASP analyzes its behavior in context to protect it from malicious behavior or input. It incorporates security into an application running on a server, intercepts all application calls to a system to ensure they are secure, and validates all data requests directly within the application.
You can use RASP to protect web and non-web applications. Since RASP operates on the server, it does not affect the design of the tested application. Once RASP identifies a security event, it takes control of the application and attempts to address the issue. There are two main modes RASP offers, including:
- Diagnostic mode—RASP pushes an alarm to let you know an issue occurred.
- Protection mode—RASP attempts to stop the issue. For example, RASP can prevent the execution of database instructions that resemble SQL injection attacks, terminate a user session, stop an application’s execution, and send alerts to stakeholders.
In this article, I explained the basics of DevSecOps and described four types of tools that can help you automate security as part of your software delivery lifecycle:
- SAST – scanning application source code for security vulnerability during early development stages:
- DAST – scanning applications while they are running in testing, staging, and production environments.
- ZTNA – controlling access to applications and data according to the current security context of each connection.
- RASP – continuous monitoring of application behavior and actively protecting against malicious user activity.
I hope this will be useful as you step up your application security program.