The shift left in security culture


This article was published in the Ergon Magazine SMART insights 2021. Order your free copy now ->

Development, security and operations form one team to test ideas, quickly, and get feedback early on. They automatically incorporate security tools into every phase of the software development life cycle. The result is secure software that is as fast as Agile and DevOps. Security becomes both economiser and accelerator.

Companies are becoming increasingly agile and customer-centric so that they can respond more swiftly to meet new challenges. Customers today want the best services and features – and they want them to be continuously available, easy to use and secure. Needs will be no less great, the pace no slower and the complexity no simpler in the future. To perform to their best, companies must dismantle their silos and rethink their legacy processes.

Agile and DevOps have already brought significant enhancements to software development, as they make companies faster and more responsive. The next evolutionary phase here is DevSecOps, short for Development, Security and Operations. United and aligned, Agile and DevSecOps achieve their common goals of short deployment cycles and the best possible customer experience.

The power of three

DevSecOps is the natural and necessary progression in approaches to security in software development. It automatically incorporates cybersecurity into each stage, from ideation to integration; testing and deployment; and on to the release of the final software. DevSecOps is an expansion of DevOps. The two methods have their similarities, such as automation and continuous processes, to establish collaborative development cycles. But while DevOps prioritises delivery speed, with DevSecOps it is security that counts. Security is embedded from the start, thereby shifting to the left in the product-development cycle.

In the interests of historical perspective, it is worth pointing out that security used to be tacked on to software at the end of this cycle - almost as an afterthought and tested by an additional team.

That was still manageable in the old days of software updates once or twice a year. Then along came Agile and DevOps practices, targeting rapid releases within days or weeks. The downstream approach to security could no longer keep up.

The aim is to protect applications continuously from the word go, which means bringing security forward. Rather than tackling weaknesses and risks at the end, this approach monitors security right from the start and then throughout the software development process. Security professionals see this as a shift left for security along the timeline, from development to deployment.

Roman Hugelshofer, Managing Director Application Security, Member of the Executive Board, Ergon

“United and aligned, Agile and DevSecOps achieve their common goals of short deployment cycles and the best possible customer experience.”

Roman Hugelshofer Managing Director Application Security, Member of the Executive Board, Ergon

Automatically secure

DevSecOps seamlessly integrates application security into Agile and DevOps processes. Security tools automate the provision of secure software without slowing down the development cycle. This anticipates security problems with proprietary or third-party software before they happen. For example, a scanner can check modules automatically for potential weaknesses whenever something changes.

It is generally faster, simpler and cheaper to fixbugs when they occur than to wait for a subsequent security test, or just before going live.

The easier to use, the better the adaption

Despite all due care and attention, security gaps may still be found after the software enters operational use. Incorporating third-party applications and opensource components makes it particularly susceptible to issues emerging or developing over time, necessitating fixes in the live system.

Security tools such as microgateways, which are used in development, enable developers to set security rules easily themselves not only while they are building the application, but also afterwards, when it is live. They do not have to rely on a security professional. That is important because in many cases security tools are not made with developer-friendliness in mind. The right tools improve all-round security-consciousness, which becomes an integral part of the software development process. Since budgets for security tools are often set by security teams, ease of use for developers is a crucial factor in their successful adaptation.

Double the protection, double the security

The DevSecOps approach ensures that security is integrated optimally into applications. It guarantees that cybersecurity keeps pace with the speed of innovation and it begins to build up a culture, not to mention cooperation, between development, security and operations teams. It is impossible to apply security universally throughout a company, however. There may be older unsupported legacy systems, third-party software modules or separate activities by other departments that are out of scope for development teams.

For as long as these legacy applications exist outside of the DevSecOps environment, or DevOps teams neglect to implement security fully from the ground up, conventional tools such as firewalls are still recommended to provide a second line of defence.

The double defence tactic is a common one, as most modern organisations work with a mix of old and new IT. This is the case especially with movements such as open banking, in which banks with established legacy environments rely on fast, secure connections with third-party applications. The important thing is to plan moves like this as part of the software life cycle. In development, security rules must also reflect user requirements at all stages. Security must offer maximum protection but users should scarcely be aware that it is there.

Shift left – spotlight on security

Shift left – spotlight on security Source:

Automation saves costs

The initial investment in automating security should not be underestimated. Each significant change will slow down day-to-day operations at first and naturally also involve costs. That investment will pay off, however. It means fewer time-consuming manual checks and thus a lower error rate, while security and speed both improve.

It clearly makes long-term financial sense to prevent major security incidents and the resulting loss of reputation before they occur. The ability to recognise an attack and to act fast is crucial. In addition, DevSecOps creates a more agile system that can be started and updated more quickly. With the help of DevSecOps engineers, companies can automate their security infrastructures and thus simplify a highly technical, time-consuming and error-prone process.

Daniel Estermann, Product Marketing Manager Airlock, Ergon

“The aim is to protect applications continuously from the word go, which means bringing security forward.”

Daniel Estermann Product Marketing Manager Airlock, Ergon

People, processes and tools

The trinity of people, processes and tools is key to the success of DevSecOps. It takes a culture in which there is no “us” and “them”, just “us” and we all share responsibility for the security of our software. That may sound simple but it demands a whole new way of thinking.

The security team must believe that the developers want to write and deploy secure software. DevOps must in turn recognise that the security professionals are not there to always say “no” and put the brakes on innovation. Instead, their job is to protect companies from security violations and to act as coaches by helping development teams to set up automated security checks. This trains developers in secure programming and draws their attention to all of the possible attack scenarios. These new mindsets demand work, time and cultural change.

It is also worth noting that boughtin security tools are usually provided and approved by the security team under the security budget. If they are to be integrated into the DevSecOps process, they must satisfy more stringent security standards, their user-friendliness must be optimised and they must be customised to the needs of the developers and DevOps engineers. Security providers wanting to support DevSecOps must be aware of these requirements.

Here to stay

DevSecOps is now regarded as the state of the art in product development. Adaptation is still taking its time but, ultimately, the future will always belong to those bold enough to take it.

The two principal advantages are speed and security. Development teams deliver better, more secure, code and they do so quicker and thus at lower cost. DevSecOps makes the development, security and operations teams share responsibility for security. Its guiding principle is that, with the right tools and a shared focus on the user, software will become faster and more secure.

Far from putting the brakes on innovation, this new way of thinking can turbo-charge it. For DevSecOps to succeed, everyone must be aware that it is an interdepartmental endeavour.

By shifting security to the left, companies become more digitally responsive and better equipped for a digital future in the fast lane.

This article was written by Daniel Estermann, Product Marketing Manager Airlock, and Roman Hugelshofer, Managing Director Application Security.

Common mistakes when implementing DevSecOps

Mistake Tip
Not enough stamina Where expectations are too high, disappointment is almost inevitable. DevSecOps is a long road and there are no short cuts.
Top-down approach DevSecOps cannot simply be decreed by management. As with any change in behaviour or awareness, you need structural adjustments and continuous change management that pays particular attention to cultural factors.
Unstructured approach First identify the risks, prioritise action points and set realistic interim targets. Problem areas and sticking points between development and security are the ideal place to start. Eliminate overbearing security processes wherever possible.
Failure to recognise the benefits of DevSecOps Use storytelling and incorporate every improvement into the backlog in the form of a security story, similar to user stories. This allows you to plan implementation and, most importantly, makes it visible to all stakeholders; creating transparency and trust. Documenting changes of role and determining expectation on both sides is vital to clear communication so the team understands its responsibility.
Poorly automatable security tools Ensure that everyone has the tools to do their job. Automation is also gaining ground in security tools, managed via script or api. Graphical user interfaces can make it easier to get started but are not suited to automation.
Exclusive focus on analysing code Application security testing can identify known angles of attack and weaknesses at an early stage. Web application firewalls are still a must, however, as an additional line of defence against novel or unknown types of attack. In DevSecOps architectures, this function is increasingly being performed by tools such as the Airlock Microgateway. Its security model ensures that the only requests that actually reach the application are those that the developers have explicitly classified as valid.

Interested in more?

Digitisation projects
Change makers
Tech trends

Order now
header image SMART insights 2021