"Shifting (security)" left approach in Software Development Life Cycle (SDLC) means starting security earlier in the process. As organizations realized that software never comes out perfectly and are riddled with many exploitable holes, bugs, and business logic vulnerabilities that require going back to fix and patch, they understood that building secure software requires incorporating and consolidating numerous resources.
This conclusion led DevOps and R&D leaders to become proactive, acquiring technology to find and close these gaps in advance, with the aim of reducing the cost and effort while improving the quality of their outcomes.
With emerging comprehensive continuous security validation technology, the demonstrated benefits of 'shifting left' as a fundamental part of SDLC can now be applied to your cybersecurity program, with results far exceeding the purely technical aspects of security posture management.
At the development level, the conceptualization of SDLC is the result of the convergence of numerous lines of thought to optimize the process. From a cybersecurity perspective, the same thought convergence process led to the concept of rolling out a continuous security assurance program by implementing the fundamentals of Extended Security Posture Management (XSPM) technology.
The Security Posture Management Lifecycle
Like SDLC, XSPM is born out of the need to take into consideration the entire security posture management lifecycle, including validation from an offensive perspective. Since the term 'shifting left' was coined, a plethora of detect and response solutions integrable into the CI/CD process has emerged. Yet, even postulating a perfectly integrated and optimized advanced detection and response tool stack, it will still suffer from a structural flaw. Detect and respond is a reactive approach that leaves the initiative in the hands of the attacker and presupposes the ability to detect any and all attacks.
In reality, the increasingly dynamic nature of the cyber-threat landscape and the asymmetric nature of cyber defense – an attacker only needs to succeed once, whereas defenders need to block every single attack – mean that focusing exclusively on the reactive detect and response approach is akin to fighting the last war. The time has come to switch to shifting further left towards integrating a proactive continuous security validation process.
XSPM includes all the continuous security validation elements and organizes them in a security posture four stages lifecycle - Assess, Optimize, Rationalize, Assure.
- The 'Assessing' step consists of launching a comprehensive set of attacks covering the attack kill chain from beginning to end.
- The 'Optimizing' step identifies misconfigured security controls, enabling optimizing them to often compensate for not yet patched CVEs and reduce the IT team patching workload.
- The 'Rationalizing' step evaluates the efficacy of the detection and response tool stack, provides detailed information to improve their configuration and identifies overlapping tools and missing capabilities.
- The last step, 'Assuring', includes a dynamic analytic process that can be customized as needed and used to visualize the security posture trends over time.
Productivity tops security, let's make security productive
The optimization of cybersecurity programs as facilitated by XSPM's framework and technology provides for better utilization of the funds and resources invested in cybersecurity. Reducing overlap, minimizing patching window, prioritizing workload, setting KPIs, and other benefits directly result from integrating security early on rather than retrospectively.
To achieve this combined optimization of resource allocation and security posture, both security and risk management leaders first need to establish a relatable, validated baseline. With data emanating exclusively from a detect and response array, the reality is an unoptimized sequential process that pushes the proactive security validation step at the back of the queue and results in antagonizing siloed DevOps and SOC teams. Misaligned goals between teams lead to a chaotic flow of contradictory information hampering the decision-making process, slowing down operations and potentially leading to unsecured deployment.
Combining the two for secure software – the benefits of baking XSPM in SDLC
When security testing only kicks in at the end of the SDLC, the delays caused in deployment due to uncovered critical security gaps cause rifts between DevOps and SOC teams. Security often gets pushed to the back of the line, and there's not much collaboration when introducing a new tool, or method, such as launching occasional simulated attacks against the CI/CD pipeline.
Conversely, once a comprehensive continuous security validation approach is baked in the SDLC, daily invoking attack techniques emulations through the automation built-in XSPM technology identify misconfiguration early in the process, incentivizing close collaboration between DevSecOps and DevOps. With built-in inter-team collaboration across both security and software development lifecycle, working with immediate visibility on security implications, the goal alignment of both teams eliminates erstwhile strife and friction born of internal politics.
Creating exponential outcomes
Shifting extreme left with comprehensive continuous security validation enables you to begin mapping and to understand the investments made in various detection and response technologies and implementing findings to preempt attack techniques across the kill chain and protect real functional requirements.
The process equips IT teams with all they need to identify opportunities that solidify and stabilize security posture management from the very start, avoiding costly delays in deployment and minimizing the risk of successful breach attempts, while SOC teams gain precise data on which to build a threat informed strategy.
How are you going to be proactive today about your company's security posture?
Note — This article is written and contributed by Ben Zilberman – Product Marketing Director at Cymulate.