Modern AppSec Moves Beyond Shift Left to Shift Smart
This is the third of a six-part blog series that highlights findings from a new Mend.io white paper, Five Principles of Modern Application Security Programs. Be sure to look out for our upcoming blogs on each of the five principles.
Most organizations are aware of the benefits of shifting left, or testing earlier in the application development cycle, including things like the ability to detect and fix bugs before production, increased reliability in testing, improved unity between developers and testers, faster time to market, and cost savings.
But organizations also are aware of the increases in cyberattacks, especially those aimed at applications. In fact, according to the Mend.io Open Source Risk Report, software vulnerabilities are the top attack vector in today’s world.
Meanwhile, the average enterprise deploys 464 custom applications — and they’re expected to deploy an additional 37 new custom applications over the next year. The result is that the average number of apps tested per quarter has more than tripled, adding additional stress to already overtaxed IT and security teams. And it certainly doesn’t help alleviate stress when application security (AppSec) is a separate workflow, which is the case for most organizations.
Without question, these trends underscore the need to build a build a modern AppSec program designed to support demanding development cycles while also ensuring application security.
For such programs to be most effective, organizations need to ensure they’re shifting left intelligently to ensure that security is a part of every step in the software development lifecycle (SDLC), from user stories and secure code reviews to threat modeling and secure design reviews.
Principle #2: Beyond shift left: Shift smart
So what does that mean at a practical level? Following are several recommendations for shifting left intelligently:
- Match security to the speed and automation of your DevOps environments with an eye toward fast results and automating as much as possible.
- Widen the scope of design and move away from project-by-project processes
- Provide developers with just-in-time feedback
- Ensure that developers can quickly and easily fix code, and don’t expect them to become security experts
- Watch out for false positive security alerts, and add tools that can prioritize application vulnerabilities and identify those than can be safely ignored
- Reduce tool sprawl by consolidating security tools, which lowers total cost of ownership and improves operational efficiency in the long term