For effective DevSecOps, shift left AND extend right

Published: June 4th, 2019

DevSecOps has come to be known by many as the shifting left of security, making it a key part of software development while code is being written, as opposed to trying to put security onto the application after it’s completed.

This follows the trends of DevOps, which moved operational considerations for applications into development, as well as software testing — though the term DevTestOps hasn’t really caught on.

And DevSecOps, like many initiatives in their early stages, has awareness but often is not well understood. “People recognize the term DevSecOps and have a general notion of what it means,” said Jeff Williams, co-founder and CTO at Contrast Security. “It means shifting left and automating security somehow, but in practice we’re really just at the very early stages of this. I think most folks don’t have a very well-formed idea of exactly what they need to do DevSecOps. In fact, I think most people get it dramatically wrong.”

Shifting left, of course, puts even more responsibility on developers, who have been trained to write code, and even find and correct errors in code, but who largely have not been trained on security best practices.

“People have this idea that shifting left is taking the things you’re currently doing and pushing them on to the developers,” Williams said. “I call it shitting left. It doesn’t work. The way that security works today is largely built around experts, using expert tools. You can’t just take those same tools and shove them onto developers who don’t have the skills or background to be effective using them, and expect great results. All you’re going to do is create a lot of alienated developers who don’t do good security. You’re probably going to end up hurting security overall.”

That could be problematic for organizations where security is a priority, as 73 percent responding to a recent Forrester study said it is. Trusting developers alone with security is the wrong approach, as developers are often the ones introducing insecure code into their applications through the use of open-source components.

The Forrester report found there were 17,308 vulnerabilities published in 2018, up 23 percent from a year earlier. It also indicated that a best security practice would be to have developers reduce the attack surface in their applications as they code. “Today’s reality is that developers don’t code securely,” the report stated. “When measured against major industry vulnerability standards, 70 percent of applications fail security testing on the first scan.”

None of this is to say developers are at fault here. Forrester noted that the top 40 computer science programs in the United States do not require secure coding or application design in their curricula.

Yet Williams cautioned against taking too much of a developer-centric view of DevSecOps, and noted that many people trying to do it correctly simply forget about the ‘extending right’ part of DevSecOps.

Particularly in application security, Williams said most organizations don’t have any idea of who’s attacking them, or what attack vectors they’re using to go after them, or what systems they’re targeting. Large organizations, he said, are blind at that level and they don’t have a way of stopping those attacks or using intelligence of how they’re being attacked to drive their security strategy. “It’s that kind of feedback loop that’s one of the real characteristics of DevOps,” he explained. “Someone attacks you using a new attack, that should instantly drive changes in the product. But we don’t have that feedback loop, so really, when I think about DevSecOps, it’s about continuing to do what you do now — generate assurance — but extend left and extend right. This idea of shifting left is dumb, and dangerous. It’s unfortunate, but those [advocating shift left] are people who haven’t thought it through very well.”

Doing DevSecOps effectively
Today, many organizations are just taking the DevSecOps name and pinning it on trivial modifications of what they’ve been doing, and it’s not really that, Williams said. “DevSecOps is a fundamental transformation of security the way that DevOps is a fundamental transformation of the way we build software,” he explained. “My friend at Comcast runs their security program and says, ‘Vendors are putting DevSecOps lipstick on a traditional security pig, because they’re not fundamentally changing how their products work; they’re just kind of taping them onto a DevOps pipeline and going, ‘Yep, we’re DevSecOps! Look!’ ”

Williams went on to say the organizations that are doing DevSecOps effectively are being smart about security across the entire software life cycle. “In dev, what that means is you empower developers to find and fix their own vulnerabilities, fix their own code, and check in clean code,” Williams said. “Seems pretty straightforward, and automation is a big part of that. It’s got to be accurate, because developers don’t have time or skills to deal with inaccuracies. If we can achieve that in dev, there are some really good downstream benefits from that. In CI/CD, both traditional and what we might call QA, in that stage, I think the goal has to be to generate assurance; that what you’re pushing into production has been thoroughly tested and is free of vulnerabilities.”

Traditionally, this assurance came from a big test after the application was complete. So by pushing all that to the left, that final assurance is lost. But, if security has been factored in earlier in the process, the big test should find nothing because tests were done along the way and any found vulnerabilities would have been remediated.

There is no assurance, though, that an effort to do DevSecOps effectively will succeed, because — like Agile, DevOps and Value Stream — the methodologies are not prescriptive. Organizations are usually left to their own devices to determine how they are going to realize the benefits.

“There’s some real value in DevSecOps and I don’t want to see the term get watered down to apply to anything that’s security,” he said. “I think it really does mean something. When I go back to the fundamental principles of DevOps, things like breaking down the work into small pieces to create flow, creating tight feedback loops and creating a culture of innovation and learning, those three things, if you interpret them for security, that’s DevSecOps. So that means breaking security work down to small pieces to create flow; it means creating tight security feedback loops, and it means creating a culture of security innovation and learning.

“Those are the three ways of DevOps and I think they’re essentially the same for security,” he added. “But very few organizations are really focused on that. They’re focused on let’s buy some new tool and plug it into our CI/CD pipeline, and bam! We’re DevSecOps. But that is not how it works. You’re not going to achieve a transition overnight. You’re gonna have to do it piece by piece over the course of years.”

DevSecOps, by its very definition, encompasses the entire stack, from coding, to UI, to the infrastructure it’s running on, and Williams added that the whole stack is turning into software. “If you’re deploying into the cloud, you’ve got a container on top of that, maybe you’ve got an app server running in the container, you’ve got libraries in the app server in the container, and you’ve got trusted code running on top of the app server.. but it’s all really software.”

Inside out, outside in, perpetual change
To have an effective DevSecOps practice, you have to approach security at each layer of the stack. If you’re running containers, you’ll need to create rules to ensure that the container has no vulnerabilities, is built with the proper defenses, and that it’s being monitored at runtime.

“The old way we used to do that is with what I’ll call an outside-in approach,” Williams explained. We used to put a firewall around it and scan the shit out of it, and try to see if the whole thing is secure. The problem is, modern architectures are much too complicated for that. I think the effective approach today is to get inside the thing we’re trying to secure. If you’re trying to secure a container, you need to be inside the container asking those questions about security. If you’re trying to secure an app server, you need to be inside the app server. If you’re trying to secure custom code, you need to be inside that custom code. That’s where you have all the information to make a smart decision about whether something is secure or not.”

What Williams described is an instrumentation-based approach to security. Contrast Security, he said, doesn’t do container or cloud security. What Contrast does is instrument the application layer so vulnerabilities can be found and so the team can prevent vulnerabilities from being exploited at runtime.

“If you zoom out and look at that, you can imagine instrumenting each layer of the stack with the right products, and then that stack is secure. It secures itself. And then you can put that stack wherever you want. If you want to put it internally, in an internal data center, great. If you want to put it in the cloud, great. The security goes with the code. For me, we’re talking about securing everything, and that’s a very DevOps/Cloud/Container kind of way of doing security. It doesn’t matter if you’re rolling out tons of elastic servers or you’re spinning up containers all over the place, because the security goes with the code. Trying to do that kind of protection with an outside-in approach is impossible, because you can never keep the walls up around everything, and you can never scan everything from the outside, because what’s in there keeps changing, moving.”

As Williams said, automation must play a big role in DevSecOps, because automation is what creates the guardrails around your development pipeline, to ensure no bugs or vulnerabilities sneak into the code and gets pushed into production. “So you have this automated pipeline that does all that work; that optimizes for the developer the ability to create new functionality and push it into production quickly,” Williams said. “All security, especially application security, has massive scale problems. There’s just not enough people to do the work the old way, so you have to automate. Most big organizations, they’re really only doing effective application security on 10 percent of their applications. They only secure the public-facing stuff, or the ones they deem to be critical. They’re not securing all their applications, and it’s a huge risk. The only way to fix that problem is we’ve got to change the economics. We’ve got to figure out a force multiplier, and I believe that is DevSecOps. By empowering developers, we can use the big machinery of software development to do the security work.”

Article Tags

Contrast Security, DevSecOps, OWASP, shift right, shift-left

About David Rubinstein

David Rubinstein is editor-in-chief of SD Times.

View all posts by David Rubinstein

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

For effective DevSecOps, shift left AND extend right

Article Tags

Subscribe to SDTimes

About David Rubinstein

Related Articles

Report: Java is the language that’s most prone to third-party vulnerabilities

Security, automation and developer experience: The top DevOps trends of 2024

The Importance of Prevention: How Shifting Left, Static Analysis and Unit Testing Create Better Code Quality

JFrog announces partnership with AWS to streamline secure ML model deployment