The concepts of shift left and shift right are impressive in securing the development process, but also for those who desire to take items that step further there’s shift everywhere
- Paul Holland,Information Security Forum
Published: 02 Sep 2022
This is a long-held belief that security must are more prominent in the development lifecycle. Instilling this belief in the developer community, however, has shown to be rather challenging. Work has been ongoing from different angles to attain the goal of secure development, but we still appear to have some strategy to use (although some organisations have made great strides up to now and lessons could be learned, as our research shows).
A variety of approaches is required to realise secure application development. Implementing security tools to greatly help measure the complied application code, review the libraries used and perform regular vulnerability scanning are on the list of possibilities to organisations. With the addition of in the proper processes and the proper people, who should also learn and operate in a culture that’s supportive of secure by design and development thinking, organisations can begin to start to see the benefits that secure application development may bring to the business enterprise.
The idea of shift left has shown to be impressive in supporting this ambition. If you feel about application development as a timeline, that is about taking the security considerations and shifting them left towards to the start of that timeline so they are incorporated at the initial stage possible. This could be supported by getting security elements contained in the non-functional requirements for the application form, for instance.
While shift left pays to and will improve security within application development, this is simply not enough considering the complete application lifecycle. That’s where two other elements enter into play, plus they are complementary. They’re shift right and DevOps, or even more importantly DevSecOps. Shifting right is approximately taking security to the proper of the application form development timeline and, similarly, DevSecOps is approximately having security in every components of the development process.
Paul Holland, Information Security Forum
Developers should recognise the significance of these role in the applications success after development, like the need for maintaining a secure environment for consumers. Having developers mixed up in support of the applications they write helps them to comprehend the necessity for quality within their coding and effective management of defects.
For organisations that are looking to take things a step further in securing their application development, there’s shift everywhere. After you have mastered shifting left and right, another logical step would be to automate components of development and support. That is to make sure they happen also to ensure consistency.
It is possible to only shift everywhere after you have matured your development activities, in fact it is probably the most mature processes which are the likely initial candidates for automation. Automating your established processes and tools takes the logic of shifting and incorporates it into everything, hence the word shift everywhere.
Shifting everywhere provides multiple benefits, normally the one being better developed applications which can be supported and updated by way of a team of experts. This has the advantage of giving the merchandise owner confidence that the application form has been coded to a higher quality level and security, and also if you can find problems the teams involved can fix the issues quickly. Consumers may also benefit, because they will have an improved experience with an increased quality application and you will be at less threat of an insecure application leaking their data.
With DevSecOps, the theory would be to combine the three core elements development, security and operations into one team and something overall cohesive process, where all of the team focus on development, add the security elements and undertake the ongoing maintenance of the operation of this application. This combined approach is effective with shifting everywhere in addition to left and right, so organisations that also use DevSecOps can gain greater reap the benefits of shifting aswell.