The Advantage of Shift Left Security - Building Secure Systems
Have you ever wondered building a secure system throughout the entire software development life cycle? Traditionally we tend to follow with a concept where we build first and then verify if everything is working correctly, considering vulnerabilities and bugs found in our system. This is called "shift right". Let's take this example: you can construct a house without considering the security features. After the house is built, we then hire a security expert to inspect it. The expert then might find several vulnerabilities, like a weak door locks and windows that are easy to break into. In this case we have to spend additional time and resources to fix security features which is going to disrupt the overall design.
Software Development Life Cycle (SDLC) In Simple Terms
Let's first describe and understand what the standard software development life cycle looks like:
- Planning: Define project goals and scope. Identify resources, timeline and budget. Analyze feasibility and risks comes also in this stage.
- Requirements: Document what the users need from the software/system and translate those needs into technical requirements.
- Design: Create the architecture and design of the system. Plan the user interface (if any), system interfaces and data flow.
- Development: Write the actual code based on the design documents and implement the features and functionalities.
- Testing: Test the software to identify and fix bugs and ensure the software meets the requirements and performs as expected.
- Deployment: Release the software to users, install and configure the software/system in the production environment.
- Maintenance: Provide ongoing support and update. Fix any issues that arise and improve the software over time.
Those are the SDLC list in order. In regard to shift right security concept it's pretty much straight forward. We always do security checkup on the Pre-Deployment phase i.e, Integration testing, user acceptance (UAT) and performance testing. Conducting penetration testing to identify vulnerabilities that could be exploited can also be squeezed here in this phase. Beyond this scenario, security audits and assessments can be achieved to ensure compliance with security standards and regulations, but these are conducted just before the software release.
Drawback of Shift Right Security Testing
Working with "Shift Right" security might be easy to implement but it comes with critical disadvantages. One major issue is the late discovery of security vulnerabilities, which often occurs late in the development process, making them more costly and time-consuming to fix. Finding vulnerabilities late in the development life cycle also incurs high costs due to the need for rework and additional testing, which in turn delays software release and may cause us to miss our deadlines. Most importantly, the increased risk associated with security breaches is significant if issues are not identified and resolved before deployment.
Where Does Shift Left Reside in the SDLC?
The shift left security can be integrated throughout the entire life cycle, but it mainly focuses on the early stages:
- Planning and Requirement Phase: This is the stage where we can incorporate security considerations from the start. As the phase is for planning, we should define the security goals for the project. For example, we should ensure customer data privacy, protecting against financial fraud, and complying with relevant regulations (e.g. The European Union regulation, GDPR)
- Designing: There are key security measures that must be applied when designing our system/software. Let's see some of them:
- Principle of Least Privilege: This component ensures that each user or system module has the minimum level of access necessary to perform it's functions. For example, we can design the user role such that a customer can only view and manage their own account information, while a bank teller can access multiple accounts but can't perform administrative functions in an online banking web application scenario.
- Defense in Depth: This is a cyber-security discipline in which we implement multiple layers of security controls to protect the system against a range of threats. For instance, integrating firewalls, and IDS (intrusion detection systems) to create multiple barriers against unauthorized access.
- Development: Here's the part where we should implement secure coding standards and practices. We can use static code analysis to detect security vulnerabilities as the code is being written. For example, we can use Go Security Checker tool to scan for a potential security problems in a Go project. Additionally, we can also run it as a GitHub action to scan our project before it reaches deployment.
- Testing: In this phase we should have continuous security testing by integrating automated security testing tools like DAST (dynamic application security testing) to identify vulnerabilities in a live service, and container security testing tools like Docker Scout or Trivy to test containerized applications.
Benefits of Shifting Left in Security
By contrast, "shift left" security involves integrating security practices and testing earlier in the SDLC, such as during the design, development, and continuous integration phases. This proactive approach helps to identify and mitigate security risks earlier, leading to more secure and efficient software development.
