What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
Super-fast S3 Express storage.
New Graviton 4 processor instances.
Emily Freeman leaving AWS.
I don't use AWS, so none of this will affect me.
CI/CD / Security / Software Development / Software Testing

A Better Way to Shift Security Left

Baking security into the CI/CD pipeline enables businesses to find misconfigurations and other security risks before they affect users.
Apr 6th, 2023 9:19am by
Featued image for: A Better Way to Shift Security Left

Development teams want to build applications quickly. But that often puts them at odds with the need for testing. Developers might code up to the last minute, leaving almost no time to find and fix vulnerabilities before deadlines.

To streamline the development process and improve velocity, “shift left” security helps developers find and remediate vulnerabilities earlier in the development process. This is a pivotal part of supporting the DevOps methodology.

As cloud computing empowers the adoption of DevSecOps, those teams also get a centralized platform for testing and deployment. But for DevOps teams to embrace the cloud, security has to be at the forefront of their considerations. For developers, that means making security a part of the continuous integration/continuous delivery (CI/CD) pipeline that forms the cornerstone of DevOps practices.

The New Way to Secure Applications Better

The CI/CD pipeline is vital to supporting DevOps through the automation of building, testing and deploying applications. It is not enough to just scan applications after they are live. A shift-left approach to security should start the same second that DevOps teams begin developing the application and provisioning infrastructure. By using APIs, developers can integrate security into their toolsets and enable security teams to find problems early.

Speedy delivery of applications is not the enemy of security, though it can seem that way. Security is meant to be an enabler, an elixir that helps organizations use technology to reach their business goals. Making that a reality, however, requires making it a foundational part of the development process.

In research from CrowdStrike and Enterprise Strategy Group (ESG), 41% of respondents said that automating controls and processes via integration with the software development life cycle and CI/CD tools is a top priority. Using automation, organizations can keep pace with the elastic, dynamic nature of cloud native applications and infrastructure.

Better Security, Better Apps

The tighter the integration between security and the CI/CD pipeline, the earlier threats can be identified, and the more the speed of delivery can be accelerated. Using the right cloud workload protection platform (CWPP) that seamlessly integrates with Jenkins, Bamboo, GitLab and others, DevOps teams can respond and remediate incidents even faster within the toolsets they use.

Hardening the CI/CD pipeline allows DevOps teams to move fast without sacrificing security. The automation and integration of security into the CI/CD pipeline transform the DevOps culture into its close relative, DevSecOps, which extends the methodology of DevOps by focusing on building security into the process.

As businesses continue to adopt cloud services and infrastructure, forgetting to keep security top of mind is not an option. The CI/CD pipeline represents an attractive target for threat actors. Its criticality means that a compromise could have a significant impact on business and IT operations.

Baking security into the CI/CD pipeline enables businesses to pursue their digital initiatives with confidence and security. By shifting security left, organizations can identify misconfigurations and other security risks before they affect users. Given the role that cloud computing plays in enabling DevOps, protecting cloud environments and workloads will only take on a larger role in defending the CI/CD pipeline, your applications and, ultimately, your customers.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.