In modern software development, cybersecurity cannot be an afterthought. Instead, security should be considered as early as possible in the development lifecycle—an approach known as “shifting left.” When teams wait until the final stages of development to test and measure security, it can result in expensive bottlenecks and a weaker security posture. In fact, recent research found that patching a bug during the maintenance phase was 100 times more costly than fixing it during the design phase.
Shifting left has other benefits as well. In addition to driving down costs, it improves team morale and developer happiness, fosters greater collaboration, and produces higher-quality code. But understanding these benefits is one thing; actually reaping them is another. A successful shift left hinges on having the right approach and right organizational environment.
Here are three tips to help organizations smoothly and effectively shift security left.
Tip #1 Create a flexible roadmap
Software development is an increasingly iterative process, and the shift left should be too. It’s crucial, at the beginning, to have a multi-year plan that outlines a clear vision without being overly prescriptive. Iterate with your organization’s infrastructure just as you would with applications and features. Perhaps the shift left begins with 20% automation, with a long-term goal to get as close to 100% as possible. The point is that shifting left will look different on day one than it will look four years down the road.
When creating a flexible roadmap, keep in mind that it’s important to build in breaks. The journey will be one of push and pull: implement something new, have a breakthrough, then breathe. If it’s constant change, your team will likely get overwhelmed and exhausted. Also, keep in mind that changes will be met by two crowds: one that wants to hit the ground running and another that wants to dig their heels in to resist the change. A strong roadmap seeks to find the balance between these two crowds and includes getting buy-in at every level.
Tip #2 Determine the business impact
Driving meaningful change in an organization of any size requires aligning multiple stakeholders and finding champions to support the change. Getting buy-in from the C-Suite is often key for the proposed changes to succeed. A business impact analysis is a great tool to establish common ground on the consequences of a potential cybersecurity breach. If data leaks or an application is unavailable, what will happen? What will be your organization’s financial exposure? Will you be covered negatively in the press and on social media? Will it create financial or physical harm for your users or your employees? What is the organization’s tolerance to security breaches and data spillage? What will be the impact on the public?
By engaging in a business impact analysis, you can determine where the shift left should start. The more sensitive an application, the more urgent it is to consider security early in the development process. Think of the roadmap and the business impact analysis as two documents that are in conversation with one another and that act as guideposts for the shift left.
Tip #3 Understand your team’s maturity level
Finally, to successfully shift left, your team must have the right level of agile maturity. Pushing decision-making to the lowest possible level can improve speed and security—but only if the teams are operating at a mature level. In this regard, DevOps Research and Assessment (DORA) is a fantastic resource. With a quick survey, you can measure a team’s delivery performance and compare it to the industry. Remember: generally, teams operating at more mature levels have a proven track record of deploying secure code.
Getting team-managed deployment (TMD) certified is another way to demonstrate your team’s control over the release process. After my team was TMD-certified, we no longer had to submit cumbersome paperwork to release software. In turn, we were able to push out 100 releases in four years.
The bottom line
Shifting left is non-negotiable in today’s landscape, as cyberthreats abound. By shifting left, organizations can improve their security posture, react to problems quicker, boost team morale, and save both time and money.
DORA outlines some capabilities that offer a great starting point for shifting left: version control, a continuous integration pipeline, centralized secrets management, deployment automation, continuous testing and delivery, and database change management. Version control is particularly important, as most breaches are traced to infrastructure configuration mishaps.
These capabilities need to be combined with a focus on change management. By creating a flexible roadmap, conducting a business impact analysis, and understanding the maturity of your teams, you can lay a strong foundation for shifting left. In turn, you’ll be ensuring security is top-of-mind throughout the entire development process.