Last Updated on September 8, 2023
If you’re initiating a web application security (DevSecOps) process, the best place to start is at the beginning of your software development lifecycle (SDLC). This is what is meant by “shifting security left” to the earliest possible point within a development/deployment timeline.
The initial phase when you’re architecting a solution and planning its capabilities prior to coding is the ideal time to start addressing cybersecurity concerns, including risk analysis and threat modeling. This is in direct contrast to the traditional application security approach, where thinking about security is a “speed bump” at the end of the development pipeline, right before shipping the product.
“Look at securing your application as it’s getting architected and you are making the big decisions about what technologies to use, what platforms to support, what programming languages are we going to use,” recommends André Keartland, Solutions Architect at Netsurit. “At that stage, you need to have somebody wearing a security hat. Or preferably everybody in the room wearing a security hat and saying, ‘How do we make sure that this app is adequately secure?’ Because the time you’re going to spend sorting out your security at the beginning is going to save you a lot of time, money, and effort later on down the process.”
Initial choices about an app’s configuration will have major security impacts. Bad security choices at the outset, such as picking “easy” over “secure,” will be extremely difficult to change without going back and rewriting big chunks of code. Likewise, with an existing application whatever is being refreshed or rearchitected should reflect security considerations from the earliest discussions.
IoT example
To illustrate the benefits of shifting DevSecOps left, consider an application with an IoT component. IoT systems are significantly harder to patch than most other applications, which is a big security risk factor. IoT systems are also usually resource constrained and can’t run complicated security code.
Plus, once an IoT device is in place in an industrial environment, the users very often don’t want to “touch the tech” because a software problem could shut down an operational process and cause costly downtime in the mine or factory. Poor upfront security choices that introduced vulnerabilities might be effectively irreparable, putting users at risk.
What’s next?
For more guidance on this topic, listen to Episode 114 of The Virtual CISO Podcast with guest André Keartland from Netsurit.