Shifting Left for Improving Security Outcomes

TL;DR: Shifting security to the left, or early in the Software Development Life Cycle (SDLC), creates more effective, less costly security controls, promotes developer ownership of security principles and features, and helps reduce risk to our organization.

What does Shift-Left Mean?

Shift-left refers to a focus on security efforts early in the Software Development Life Cycle (SDLC). These early phases include early developer and technologist awareness efforts, as well as secure design, development, and deployment of software.

Shift-left is a well-known term in the software development and testing industry. It refers to both security and non-security specific testing and evaluation of an application early in the development lifecycle. A shift-left mindset helped develop some notable non-security specific techniques such as Test Driven Development (TDD) and Agile methodologies.

What are the Benefits of Shift-Left?

The clear benefit to shift-left is that a focus on the early design and development phases translates to fewer defects in the later stages. Shift-left is well-recognized as an approach that lowers the cost of defect remediation. In fact, the cost of fixing code flaws increases exponentially with each phase to the right in the SDLC that they are found and remediated. The 2019 Poneman study estimated that vulnerabilities detected in the early development process cost around ~$80 to remediate. However, the same vulnerabilities can cost ~$7600 to remediate if detected after deployment to production. This is a 9400% increase in cost!

It is worth noting that the term shift-left can be a misnomer, as it denotes a linear phased approach, rather than a continuous approach. In actuality, software is developed in an infinite cycle of continuous design, development, remediation, integration, delivery, and monitoring.

Continuous Development Life Cycle

Because each phase in the infinite cycle is discrete and identifiable, the term shift-left is still helpful in understanding the efforts in moving security earlier in the life cycle. As a mindset, shift-left is both a way to train developers, and a way to design, develop, and deploy code more securely and with less cost. So while we refer to shift-left to identify our efforts, we are not promoting the abandonment of a continuous development and deployment cycle.

What is Auth0 Doing to Shift-Left in Security?

The focus on defensive and preventive controls early in the SDLC encompasses several key initiatives at Auth0. These initiatives include the improvement of Static Analysis Security Testing (SAST), the creation and publication of the Secure Software Benchmarks (SSB), and the development of Security Champions.

#security #coding #lock #auth0