How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
No change in plans, though we will keep an eye on the situation.
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
What recent turmoil?
DevOps / Security

5 Security Tasks DevOps Teams Should Consider When Shifting Left

A shift-left approach to security should start at the exact moment that DevOps teams begin developing the application and provisioning infrastructure, so that vulnerabilities can be addressed before they become bigger and more expensive to fix.
Jun 16th, 2022 10:00am by
Featued image for: 5 Security Tasks DevOps Teams Should Consider When Shifting Left
Feature image via Pixabay.

Scott Fanning
Scott is responsible for leading product management for the CrowdStrike Cloud Security Product Group, including its CNAPP product offerings of CrowdStrike Horizon CSPM, Discover for Cloud and Container, Cloud Workload Protection and Cloud Identity Assessment. Scott has spent over 25 years in the security/routing and cloud domains helping customers protect the ability to get work done and keep adversaries at bay.

Speedy delivery of applications is not the enemy of security, although it can seem that way. As businesses continue to adopt cloud services and infrastructure, forgetting to keep security top of mind is not an option — especially since the continuous integration/continuous delivery (CI/CD) pipeline represents an attractive target for threat actors.

It is not enough to only scan applications for security flaws after they are live. A shift-left approach to security should start at the exact moment that DevOps teams begin developing the application and provisioning infrastructure so that vulnerabilities can be addressed before they become bigger and more expensive to fix. This is the core tenet of DevSecOps.

By shifting security left, organizations can identify misconfigurations and other security risks before they impact users. Given the role that cloud computing plays in enabling DevOps, protecting cloud environments and workloads will only take on a larger role in defending the CI/CD pipeline, your applications and, ultimately, your customers.

Below are five key security tasks DevOps teams should consider as their organization shifts left.

1.  Connect and collaborate with your security team: Shift left is a cultural change. In addition to putting the proper processes and tools in place, organizations must rethink the way they operate to bring software-testing processes, tools and expertise earlier in the CI/CD pipeline. DevSecOps isn’t simply about pushing security responsibilities onto developers, but about changing roles and expectations, combined with the right tools, to achieve a balance in secure development. Security should be a priority from the start — not an afterthought tacked on to the end of the SDLC.

2.  Implement frequent automated testing: Shifting left requires testing early and often. With automated code testing, developers are alerted to security issues as they are working so they can correct issues long before software goes to production. Automated tools that scan for vulnerabilities reduce the chances of human error that may occur in a manual test and expand coverage to check more of the software. The code is scanned incrementally so testers aren’t left with a lot to review at the end of the SDLC.

A shift-left strategy will involve bringing one or more tools into the CI/CD pipeline to look for known vulnerabilities and identify other issues. There are many tools to choose from — commonly used tools include Static Application System Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Secret Detection and Software Composition Analysis (SCA). You should first assess the tools you have before deciding which new tools to bring into your processes.

3.  Bring penetration testing (pentesting) into the process: While automated testing is a must-have in DevSecOps, automation alone may still leave potential issues undetected. A manual security evaluation, such as a penetration test, checks the security of an application by simulating cyberattacks against it. This additional testing minimizes the risk and may catch issues that an automated test wouldn’t. Before you commit to protection, bring in a security engineer to review the software and conduct a penetration test to ensure all potential issues are mitigated. It’s better to cover all your bases and do the extra testing than learn about a vulnerability after an attacker exploits it. 

4.  Keep your software current: Working with up-to-date software is a core tenet of cybersecurity. Developers must be careful to keep all their software — operating system, application framework and third-party libraries — updated to the latest versions to ensure all security patches are current. Whether they come from a vendor or the open source community, downloading software updates is among the most important steps you can take toward stronger application security. 

5.  Explore opportunities for security training: Developers aren’t security experts, but they have a critical role in the production of secure applications and should know the basics of secure coding and testing. As the demand for software grows, developers should consider security training tailored to their specific role and needs. Proper training and support can give you the background information needed to produce code that is both functional and secure.

When it comes to software security, there is no silver bullet to ensure your code is secure and stays secure. By adopting these practices, you can increase the likelihood that software flaws are found and patched before code is deployed.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.