DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • SAST and SCA Complemented with Dynamic Observability for CVE Prioritization
  • A Concise Guide to DevSecOps and Their Importance in CI/CD Pipeline
  • What Are Different Strategies for Security Testing?
  • How to Develop a Secure Application

Trending

  • Programming With AI
  • How to Configure Istio, Prometheus and Grafana for Monitoring
  • Unveiling Vulnerabilities via Generative AI
  • Docker and Kubernetes Transforming Modern Deployment
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Security Needs to Shift Left - and Right

Security Needs to Shift Left - and Right

To achieve a true DevSecOps environment, security doesn't need to be shifted, it needs to be present at every stage in the SDLC.

Suzanne Ciccone user avatar by
Suzanne Ciccone
·
Jul. 30, 17 · Opinion
Like (3)
Save
Tweet
Share
2.73K Views

Join the DZone community and get the full member experience.

Join For Free

The move to Agile and DevSecOps development processes has fostered a lot of attention on the need to shift security testing left in the development cycle. And this is absolutely a pivot in the right direction. Moving security testing into the realm of the developer makes security testing faster, easier, more effective, and less expensive. However, it’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle – from inception to production or, put another way, from prevent to respond. Application security should be considered and conducted from the planning phase through to the development phase, on to the testing phase and right into production. In fact, rather than talking about securing the software development lifecycle, we should focus on securing the software lifecycle.

You Need Both Locked Doors and a Police Dept

The secure lifecycle, or prevent-to-respond, idea applies in the real world as well. With security in the physical world, you need to understand basic safety measures and implement best practices – lock your doors, understand where the exits are and have a fire escape plan, put kids in nonflammable pajamas, etc. But that doesn’t mean you can disable your smoke alarms or disband your local police department. With real-world security, just as with software security, you need to focus on the whole lifecycle – from plan and educate to prevent and respond.

The More Things Change, the More They Are Vulnerable

Why do we need to secure every stage of the software lifecycle? Why do we need to focus on both preventing and responding? Because producing record numbers of applications at a breakneck pace is a high-risk endeavor. With the speed of today's development cycles – and the speed with which software changes and the threat landscape evolves – it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested. In their recent report, Incorporate Application Security Throughout the Application Life Cycle, Gartner points out that “risks to applications stem from a variety of causes, such as:

  • Unsecured application design and configuration.
  • Vulnerabilities in the application code and use of vulnerable third-party components and libraries.
  • Ineffective security controls and unpatched vulnerabilities at runtime.

It’s important to realize that vulnerabilities stem from different sources and will emerge at every stage of the software lifecycle. For instance, in many cases, vulnerabilities will be discovered in applications you already have in production. If you are able to block attacks on vulnerabilities, you can avoid downtime and fix during planned updates. In the end, neglecting software security in any stage will expose you to risk.

Look Left and Right

Shifting security left in the real world involves things like developing a fire escape plan. In the software security world, it involves threat modeling before any coding even starts, educating and coaching developers on secure coding practices and then enabling them to test for security as they are coding.

Shifting security right in the real world involves making sure your fire extinguisher works or since it’s summer and I’ve got beach on the brain, picking a beach with lifeguards, even if your kids have had swimming lessons. In the software security world, it involves security testing completed code, whether it’s developed internally or externally, and implementing for apps in production. Just as software is not static, application security isn’t either. Effective application security is not a one-and-done project, but an ongoing program that both prevents and responds to breaches at the app layer.

Application security Software development Security testing

Published at DZone with permission of Suzanne Ciccone. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • SAST and SCA Complemented with Dynamic Observability for CVE Prioritization
  • A Concise Guide to DevSecOps and Their Importance in CI/CD Pipeline
  • What Are Different Strategies for Security Testing?
  • How to Develop a Secure Application

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: