What a successful shift-left security program looks like

by Joseph K. Clark

Businesses need to have a strong application security (AppSec) program to succeed and survive in today’s ever-changing world. Many companies are taking a shift-left approach to security, moving security earlier in the application life cycle — but this puts a lot of pressure on the development team that is already pressured to move faster, write better code and work smarter. 

There are some ways to alleviate the stress for developers while making it easier to catch bugs earlier and reducing the cost to fix them.

security program looks like

“Having a good policy in place to properly assess your application and make sure you have good practices will be critical to protecting everything —  the whole entire infrastructure, not just the application,” said Rey Bango, developer and security advocate at Veracode. They spoke in an SD Times webinar with Tim Jarrett, Veracode’s director of product management, on how to set up security programs for success.  

The first piece of advice Jarrett and Bango gave is to automate, but also recognize automation is not just a security thing. While automation can help, security really needs to figure out where their function fits alongside automated workflows and which of those workflows can be automated, according to Jarrett.

He went on to explain that a lot of security concerns can be automated, but the ones that should be automated are the ones that are widely prevalent and easy to address. The security vulnerabilities that are more unique or require more security expertise should not be automated.

Baking security into the code is another best practice Jarrett recommended because it enables security workflows to be managed and tracked just like every other piece of code associated with the project. This helps developers take advantage of processes they are already used to working in. 

Bango highlighted the need to appoint a security companion within a shift-left program. A security companion is not a security decision-maker but a neutral person who can bridge the conversation between development and security teams. They should help bridge the communication and manage priorities between the two groupsFor more ways on how to set up a solid AppSec program, watch the entire webinar.

Related Posts

Leave a Comment