Amidst the “Shift Left and Extend Right” security trend, developers find themselves needing to implement more robust security practices into their processes. Idan Plotnik, co-founder and CEO of Apiiro, provider of an application risk management platform, discussed the ways in which developers can mitigate critical security risks in order to better protect themselves and their organization.
According to Plotnik, it is a myth that developers will be able to handle security all on their own. “I don’t think that this will happen in the next five to 10 years. What will happen is that you have something like a security champion in the development group and you have an application security program or leader across business units that is putting the security and compliance controls in place,” he said. Plotnik explained that the reason it is very challenging to completely shift security left is that it will result in too many noisy tools sending too many alerts with a lack of context. “We need more context throughout this process if we want the developers to feel ownership and start helping us as security practitioners,” he said.
Plotnik believes that if more security context can be added to DevOps practices already in place, achieving an automated DevSecOps process becomes much more attainable. He said, “If you have the context and can automate it this will help DevOps move faster and allow the developers to provide more value with less time and reduce the costs and the risks early in the development process.”
A big issue that many organizations face when it comes to implementing security into their development processes is deciding where to start. According to Plotnik, the key aspect businesses need at the start is visibility. “How can you start building an application security program or how do you start remediating risks if you don’t have the visibility? This is the fundamental thing that you need to do as a security leader… you need visibility before you can start anything,” he said. “There is another important thing and that is that you need to build trust with your team because if you don’t have that trust, everything breaks.”
Plotnik also believes that a big mistake many organizations are making is that they begin shifting security left with an emphasis on tooling. With this, he circled back to the essential context and visibility he spoke about earlier. “Don’t start with the tools, start with understanding what you have and from there you can prioritize the relevant tools and processes,” he said.
According to Plotnik, if there is one thing developers can do to counteract the challenges they face in this process it is being continuously curious about security processes. “Training or reading or just being curious because if you don’t care about it, I don’t think anything will help you. If I don’t care about my code and if I don’t care about the perception or consequences of my code on the rest of the organization, then nothing will help.”