Shift Left and Extend Right Security: Empowering Developers

The Evolution of DevOps Security: Beyond DevSecOps

DevOps, at its core, prioritizes collaboration and rapid iteration. However, the introduction of security and compliance considerations often leads to a dilution of these fundamental principles.

The Misconception of DevSecOps

The term “DevSecOps” has gained prominence in recent years, aiming to integrate security seamlessly into the DevOps lifecycle. In practice, however, security tools are frequently added as afterthoughts to existing processes, accompanied by increased automation. This approach, while labeled “DevSecOps,” often fails to truly embody the spirit of collaboration and agility.

Ideally, developers would possess comprehensive training in secure coding practices, covering all aspects from front-end development to back-end systems, and be adept at preventing vulnerabilities like SQL injection and authorization exploits. They would also have access to all necessary information for informed security decisions during the initial design stages.

The Reality of Developer Security Knowledge

The ideal scenario rarely materializes. Despite the increased ownership developers have over code deployment through CI/CD automation, they often lack the crucial visibility into relevant data needed to make proactive security choices even before writing the first line of code.

The conventional focus on discovering and fixing vulnerabilities is becoming less effective. A more impactful strategy involves equipping developers with the knowledge and training to prevent potential risks from escalating into actual vulnerabilities.

Proactive Security Through Contextual Awareness

For example, consider a developer tasked with integrating Personally Identifiable Information (PII) fields into a public-facing API. The authorization controls within the cloud API gateway are paramount to the security of this new functionality. “Shifting left and extending right” isn’t simply about earlier detection by a scanning tool or security architect; it’s about empowering the developer with the complete context to avoid the vulnerability altogether.

Continuous feedback mechanisms are essential for significantly enhancing developers’ security expertise.

Rethinking Security Training

Security training often falls into a “check-the-box” exercise, rather than a collaborative and contextual learning experience. Post-incident training, aimed at preventing recurrence of discovered vulnerabilities, is a reactive approach.

A superior method involves understanding a developer’s existing experience, skill set, and objectives within the application’s context – including the technologies, frameworks, and APIs utilized.

Organizations should proactively provide training before a security issue arises when a developer encounters a new security control. This principle extends to new languages, technologies, and areas of the application stack. Furthermore, a holistic understanding encompassing everything from the Jira ticket to production configurations would enable targeted training delivery, fostering true developer empowerment.

The Evolving Role of Security Professionals

This revised approach to DevSecOps will positively transform the role of security architects and Application Security (AppSec) engineers. Instead of being consumed by vulnerability scan results, they can dedicate more time to strategic initiatives and continuous learning.

Their focus will shift towards knowledge acquisition – staying abreast of the latest security and compliance challenges, secure coding techniques, and defensive strategies. They will then prioritize knowledge sharing with developers, fostering a new level of collaboration between security and development teams.

True "Shift Left and Extend Right"

Genuine “shift left and extend right” security transcends merely identifying vulnerabilities earlier. It builds upon the core principles of DevOps to seamlessly integrate security into the development process.

Empowering developers with the appropriate context and information at the right moment is the key to transforming software development practices. This requires organizational buy-in, but those who succeed will achieve faster, more secure code releases, and cultivate happier, more knowledgeable, and better-trained software development teams.