Shift as Far Left as You Can to Protect Cloud Native Applications
Prisma Cloud from Palo Alto Networks sponsored this podcast.
Many, if not most, IT professionals are well aware of the importance of embedding security processes at the very beginning of the production pipeline.
In this edition of The New Stack Makers episode, recorded for The State of Cloud Native Security virtual summit held on June 24, thought leaders from Palo Alto Networks discuss why the ‘shift left’ for security in the software production process is essential for DevOps today. The topics discussed include how the trend to shift left has its roots in DevOps, its integration with continuous delivery (CD), security’s role not only in software development processes but for the enterprise as well and, ultimately, how the shift left helps to ensure software is safe and secure.
Joining as guests from Palo Alto Networks are Aqsa Taylor, product manager for Prisma Cloud, Ashley Ward, Palo Alto Networks’ cloud chief technology officer, Keith Mokris, head of product marketing for Prisma Cloud and Vinay Venkataraghavan, Prisma Cloud cloud chief technology officer.
One of the main questions and concerns DevOps teams often express is how they can integrate security processes at the very beginning of development processes without impeding the need to deploy code at faster cadences. However, from the outset, the shift left can help DevOps avoid having to wait for the security team to complete their security checks before they “ask the developers to rebuild their applications to meet security and compliance mandates,” Taylor said.
This is done “by introducing visibility into what they’re building from a security perspective,” said Taylor. “In the earlier cycles, we are helping or equipping developers to have faster delivery of applications, but also ensuring good quality before it reaches the runtime. So, you’re actually reducing the time for delivery of applications by improving the security in earlier stages.”
By involving security testing at the beginning of the cycles, “you’re giving them more visibility into the entire picture and security device,” Taylor said. “You’re also making them more enabled by combining them with developers as they do their testing.”
When testing is implemented at the very beginning of the production cycle with the right tools, this also means Q&A processes are automated. “If you’re moving through that pyramid of testing and making things automated and easy to consume, then I think it’s really exciting for QA, for security and for the DevOps teams altogether,” said Ward.
Automation is also essential throughout CD for a successful shift-left approach overall. The use of automation for GitOps “always reduces the effort and the manual interaction,” Taylor said. “Imagine bigger-scale companies — you don’t have time to manage cluster by cluster — you want to be able to see results within minutes.”
Ultimately, DevOps teams today must have the right security tools in place to lock down code at the very beginning of the production cycle and while the process continues through deployment — without impeding the ever increasing speeds at which applications and their updates are deployed. This is where the Prisma Cloud suite comes into play, Venkataraghavan said. “I’m biased obviously, but I’m super-excited because we are meeting the developers where they are and providing the context to give them the ability to make those fixes, right when this code is fresh in their heads, which is unparalleled.”
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: email@example.com.