How far left do you want to go with security?

Javier Salado - Chief Evangelist, Kiuwan
20 Oct 2017
14:55 - 15:45
CTRL room

How far left do you want to go with security?

Given the growth of the attack surface in enterprise applications and the increase of the threats prowling out there, Application Security (AppSec) challenges have multiplied for everyone involved in the software development life cycle, including operations. The biggest challenge is that those responsible for security in the enterprise, starting with the CISO, are in a different silo than those responsible for application development and operations. While DevOps initiatives are bringing together development and operations, AppSec is still too far to the right in the SDLC, because AppSec still mostly belongs to the security silo. They are securing their applications after they are developed, when they should breed them secure from inception.
This requires a huge change of gear for many enterprises that have to adapt their development process to allow a shift left of their security practices. Bridging the gap means bringing in a new initiative to the table: DevSecOps. This is not new, but I want to propose DevSecOps with a twist. Instead of the “classical” shift left of security practices, what you want to do is “extend left” the security practices. How far to the left? All the way. This means allowing security experts out of their silo to participate in the early stages of the development process, using their expertise to establish AppSec policies and using all kind of security vulnerability detection tools from the beginning and throughout the development process in order to enforce them.
This approach has its own challenges as well. Think about how you would implement the “extend left” in a very common scenario: when enterprises outsource their software development efforts. They may reduce cost, but lose control and increase risk. You need to share the AppSec policies with them and enforce them. You don’t want to accept any delivery coming from your software providers that doesn’t comply with your security policies. The way you can do this today is testing the deliveries and making sure they comply before you deploy them. This way the agility and the “extend left” of security practices go out the window.
I am proposing DevSecOps initiatives that involve software providers through a collaboration environment where enterprises can share their security policies, and software providers can enforce them from the beginning of their own SDLC to deliver secure applications that are compliant with policies from the start. This reduces the deliver-test-fix-deliver-test-…-test-deploy loop to just one iteration. At the same time, all stakeholders in the SDLC will have a comprehensive view in the collaborative environment to see how the applications are born secure, see where the gaps are and ultimately become proactive to clear them out.