Shift left security is helpful, but one expert says it's not enough

It's critical to plug cybersecurity vulnerabilities before bad guys get wind of them. To make that happen, businesses should encourage security and developer teams to collaborate, says an expert.

security

Image: iStockphoto/maxkabakov

After-the-fact cybersecurity is something cybercriminals appreciate. "With attackers continuing to innovate ways they can compromise their victims' assets, it's becoming increasingly critical for organizations to reduce their attack surfaces," said Rickard Carlsson, co-founder, and CEO of Detectify, a cybersecurity company utilizing ethical hackers. "To combat cybercriminals, there is a need for collaboration and shared ownership of cybersecurity between security and engineering teams."

Besides cybercriminals, there are internal concerns

Besides trying to keep secrets from the digital bad guys, Carlsson suggested that departments—in particular, those dealing with cybersecurity—within a company tend to keep secrets from other departments. "Many teams stay siloed to keep security information protected, for fear of exploitation," said Carlsson. "With this guarded approach, organizations are assuming that this information is only known to a select group of people internally, not considering that there could be others outside of the organization with the same information and intend to use it maliciously."

Put simply (and for the betterment of all parties), knowledge sharing within an organization, especially between security and developer teams, should be encouraged.

Carlsson stated another concern: "A common obstacle for organizations is that they let their security protections hinder their innovation and their ability to scale."

SEE: Shadow IT policy (TechRepublic Premium)

What is shift left security?

On paper, the process called "shifting left security" is a way to reduce attack surfaces. "Shift left refers to moving security sooner in the development process," mentioned this CheckPoint website. "Additionally, a tighter integration of security throughout the process leads to better security outcomes, versus tacking it on at the end."

Carlsson is inclined to agree, adding, "With shifting left, testing is done earlier in the product-development cycle to ensure that security flaws are found early, with adequate time to fix."

What is collaborative ownership of cybersecurity? 

Carlsson believes there is still a better way. "Although the focus on 'shifting left' within application security is picking up, there are still unearthed opportunities for a faster, more efficient way to apply cybersecurity," said Carlsson. "Besides, shifting left views security as a controlling organization instead of an enabler."

Carlsson believes collaborative ownership of cybersecurity is a better form of protection. As to what he considers collaborative ownership, he added, "Through increased ownership of continuous monitoring and testing, cybersecurity professionals can enable developers to take a more proactive approach to protection while building the application."

The following are details of what Carlsson considers to be collaborative ownership:

  • Development cycles are happening so quickly in the current landscape, that the focus should be less on testing early and more on testing continuously. Also, it is important to ensure vulnerability information will get to developers so they can act on it and make adjustments.
  • Security teams within an organization must question how they are promoting security ownership. Instead of monitoring for security flaws and taking a reactive approach, these teams should be guiding the engineers to make informed decisions.
  • Intentional vulnerability testing is imperative to ensure protections are meeting the mark. Specifically, dynamic application security testing or black-box testing regularly can put more confidence in the products on the market. This proactive approach provides peace of mind that detection is in place to stop real life attacks and find actively exploited vulnerabilities in time.
  • Vulnerability identification and communication to the appropriate team needs to be expedited to ensure that secure innovation can take place.
  • All facets of the organization need to understand the importance of this testing/remediation loop within the development lifecycle. Security teams need this buy-in from the top down for all groups to recognize the value.
  • Innovative organizations should rely on a mix of automation, research, ethical hacking and continuous awareness to protect themselves.
  • Security will no longer be siloed. It must be considered in every strategic decision, and people must feel empowered to own cybersecurity in their various roles and tasks.
  • CISOs and application owners should expect their security suppliers to communicate information about vulnerabilities within minutes after they have been detected.

Final thought

Shifting left security is only a start according to Carlsson, and he makes several good points as to why. Fortunately, it does not seem like much of a leap to move from shifting left security to collaborative ownership of cybersecurity.

Also see