Adopting ‘Shift Left’ Security Without Frustrating Your Developers
Security is often perceived as a drag on the required speed and agility of development. According to the ATARC (Advanced Technology Academic Research Center) Federal DevSecOps Landscape survey, security is in the top three causes for deployment delays. Legacy approaches to security typically happen late in the development process ultimately slowing down delivery.
As shown in the diagram below, the security scan happens after the “Deploy” stage towards the very end of the development cycle.
The development team is typically required to get in line and submit a security scan after the production environment is spun up. If the results come back with positive security issues, developers have to spend significant time and energy to investigate these issues. Unfortunately, security tools are notorious for their false positives. Developers end up wasting valuable time and the release is inadvertently delayed. Uncovering issues that late into the cycle is expensive to fix and creates unnecessary stress.
The same report also suggests that security is slowing down software releases and the delay can be as substantial as over 4 months. It is no surprise that developers view legacy approaches to security programs as inhibitors to innovation.
Shift Left Your IaC Security Checks
The software development process has been shifting left due to the growing challenge of developing and delivering software releases faster and faster. With Infrastructure as Code (IaC), there is no reason why we cannot learn from the development world and embed security enforcement early in the development process.
Modern security programs should be fully automated and integrated into the DevOps pipeline as shown above. Full automation means that developers don’t need to get in line for security reviews. Instead, IaC will be automatically evaluated for security impacts. In this example, security controls are integrated into the development lifecycle before deployment (development, staging and production if possible.) You can think of the shift left security approach as testing IaC continuously and preventing insecure infrastructure from being deployed every step of the way.
From a developer standpoint, IaC security tools work the way they want to work. The tools are natively integrated into the CI/CD pipeline. They provide feedback rapidly so security risks can be instantly remediated at the time they are made allowing developers to go fast. This level of automation with speed and efficiency is what businesses mandate in the new digital era. On the other hand, security professionals feel at ease because they can now enforce security policies and behaviour throughout the development cycle.
Continuous Delivery with IaC Security
If you are using IaC to scale your cloud environment, you can build it securely from the start with IaC Security. That means reviewing your IaC for security risks continuously and as early as possible. Rather than waiting until later in the development process, IaC can address issues that will almost certainly delay your release. These issues will also create friction between development and security teams unnecessarily.
Indeni Cloudrail is our latest addition to the modern security programs toolset for IaC security. We invite you to learn more about how it works, try it and let us know what you think.
About the Author
Ulrica de Fort-Menares is the Vice President of Product and Strategy at Indeni. Ulrica is responsible for the strategy, partnerships and execution of the Indeni product portfolio. With over 30 years of experience in the high-tech industry, she has held various leadership positions in product management, software development and network engineering. She is the holder of 7 patents in networking technologies.