/mar 18, 2020

4 First Steps to Help Your Organization Shift AppSec Left

By Hope Goslin

In order to stay competitive in today’s fast-past world, organizations need to rapidly deploy new software. One way to ensure fast deployment is to take Beyoncé’s advice and move security, “to the left, to the left.” By shifting security left – to the beginning of the software deployment lifecycle (SDLC) – there are significant business benefits. Running security tests early enables organizations to identify and remediate flaws while developers code, eliminating extensive rework and unforeseen expenses down the line. But despite realizing the importance of shifting security left, many organizations can’t figure out where to begin.

Here are four steps that can help your organization get started. 

1) Automate security from day one.

You need to do everything you can to create as little extra work for developers as possible. Since developers automate their processes, automating security scans will not only work seamlessly with their existing processes, it will reduce the need for manual work.

If you decide to automate security, the first thing you should do is look at what tools you have in place, then use APIs to integrate security tools into the CI/CD pipeline. Most of our customers start by automatically kicking off static analysis scans in the build process.

2) Integrate security tests as you code.

After you automate static scans in the build process, think about integrating security tests even earlier in the SDLC. The sooner the flaw is discovered, the faster and cheaper it is for the developer to remediate. Ideally, security testing is integrated into the IDE, and flaws are discovered while the developer codes.

When deciding what stage in development to start testing, you need to consider the type of application you’re working with. For example, web applications created for modern development practices like microservices can be tested quickly and easily at the beginning of the SDLC, but legacy apps – which tend to be more monolithic – may take longer to test and require you to scan later in the lifecycle.

3) Avoid false positives with modern AppSec tools.

Originally, application security tools were designed for security professionals only. The tools would flag anything that looked out of the ordinary, and then the AppSec professionals would weed out code that was mislabeled as problematic – also known as false positives.

But now that we know the importance of moving security tests to the beginning of the SDLC, tools need to be developer friendly. In order to be developer friendly, the tools need to have a low false-positive rate. Why? Because developers don’t typically have enough security knowledge to quickly identify false positives. Also, false positives create rework for developers, slowing down deployments.

Seek out new, modern AppSec tools designed to limit false positives.

4) Shift security knowledge left.

When you move security to the beginning of the SDLC, developers are expected to take a more active role in application security testing. Since most developers don’t have formal security training, it can be challenging to get developers to prioritize security protocols.

One way to help make developers more security-minded is to create a relationship between the security and development teams. If the two teams understand each other’s’ priorities and pain points, developers will be more willing to embrace and learn about security, paving the way for a security champions program. Security champions are developers who have an interest in learning more about security. They undergo formal training and become security advocates on their development team. When you have a security champion program, security becomes top of mind for developers, improving the quality of code, reducing bottlenecks at the security review stage, and increasing the speed to deployment.

To kick off a security champions program, gain buy-in at the management level and ensure that security is a shared goal between security and development teams.

Shifting security left might seem like a heavy lift in the beginning, but the payoff is well worth it. Your organization will be able to find and remediate flaws and deploy new software faster, giving your organization a competitive advantage.

Learn more about shifting security left in our recent guide, AppSec Best Practices vs Practicalities: What to Strive for and Where to Start.

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.