Security ‘shifts left’ to debug critical code before software deployment
The cybersecurity world is a race against time: Organizations have a finite amount of resources and limited runway to find and fix bugs in code before malicious actors can discover and exploit them with damaging results.
The way to best minimize this exposure is to fix bugs before software has been deployed into cloud native or other environments. That means catching potentially fatal flaws as code is being written using tools that continuously integrate and scan in-process.
It’s an approach that represents a “shift left” in the DevOps world, a practice in software development where problem prevention is the priority versus detection after the fact.
“When we think about where security lives, it is either a blocker to deploying in production or it lives long after code has been deployed to production and there’s a security team constantly playing catch-up,” said Joni Klippert (pictured), founder and chief executive officer of StackHawk Inc. “They’re looking at it months after software has been deployed and then hurrying to assess where the bugs are and trying to get that back to software developers so they can fix those issues. Shifting left means software engineers are fighting those bugs as they are writing code or in the continuous integration/continuous delivery pipeline long before code has been deployed to production.”
Klippert spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during theCUBE on Cloud event. They discussed the need to bake security into the development process, separating the “noise” created by a large number of security vendors to protect code, the use of dynamic application security and the value of penetration testing in the enterprise.
Understanding software development
The “shift left” approach offered by Klippert and her firm is a form of baking security into the development process rather than trying to bolt it on after software has been deployed into production. The case for baking in security is hard to oppose, especially as news of escalating ransomware attacks or a major breach make headlines on nearly a weekly basis. It’s also hard to do.
“It isn’t trivial, and, in my opinion, there aren’t a lot of tools on the market that actually make that very easy,” Klippert said. “Because of lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. You really have to have a lot of empathy and understanding for how software is built and how software engineers behave in order to get this right.”
That level of empathy for the job of a software developer extends to issues within the cybersecurity industry itself. As threats have mounted, so has the noise surrounding numerous products that claim to offer the silver bullet for security protection in the enterprise.
“There were 1,300 venture-backed security companies since 2012 focused on selling to CISOs and Fortune 2000 companies,” Klippert noted. “It is a mess; it’s so noisy. Nobody can figure out what anybody actually does.”
Filtering out the noise
The concept behind StackHawk’s approach is dynamic application security testing, or DAST. This testing is applied against a running version of an application, searching for security bugs that could be identified by a malicious hacker. The goal is to filter out the noise and identify the critical issues that would be worth the time to fix.
“Limit the noise; make it as easy as possible,” Klippert said. “You make the tooling work so that it works for the software engineer and their workflow. Make sure that we only show the most critical things that are worth an engineer stopping what they are doing in terms of building business value and going back and fixing bugs.”
One of the security techniques in common use is penetration testing, a form of ethical hacking where organizations will deliberately attempt to breach internal systems as a way to find security flaws. Penetration testing is a growing market, forecasted to expand to $4.5 billion in four years, but Klippert advises that additional scanning may be needed to get deeper into potentially serious security flaws.
“Pen tests are important, and everybody should do them, but that should not be the introduction to these issues that are also easy to automate and find in your system,” Klippert said. “Run StackHawk in an automated fashion on your system, and then give the configuration and most recent results to your pen tester and say: ‘Go find the hard stuff.’”