Shift left security – Security by design in DevOps

Brijesh Balakrishnan

By Brijesh Balakrishnan, Vice President & Global Head of Cybersecurity Practice, Infosys

As part of accelerated digital transformation and the recent evolution of technologies, enterprises across the industry sectors have assets and applications that have a wide online surface through multiple channels like web, mobile, APIs, IoT, et al. This multi-fold increase in digital channels has also led to widening of potential attack surfaces that can be easily exploited by malicious actors.

For a long time, security and development were two distinct aspects of building products. However, the exponential rise in cyber threats and as organisations look to build high-quality products and services quickly and more efficiently, there is a need to rethink enterprise security strategy.

Shifting left in development lifecycle

The concept of shift left security moves the security inception in the software development life cycle (SDLC) from the right side (advanced phase) to the left side (initial phase). The SDLC comprises four steps – Development, Build, Test, and Deployment – where developers are the left part of the cycle. Moving anything towards their domain implies shifting left.

The shift left security strategy is essentially the practice of implementing security measures over the entire development cycle enabling teams to identify and mitigate vulnerabilities early in the development and testing phases to avoid flawed implementations or the maintenance effort of such implementations in production environment.

Early discovery of issues also allows for addressing the root causes by modifying underlying components and improving the application architecture instead of continuously putting band-aids to get by later in the lifecycle.

This approach aligns with the security by design principle – cybersecurity should be an integral part of all phases of the development instead of a post facto implementation. While businesses have been adopting DevOps, the agile methodology of continuous development and continuous deployment for faster feature releases, for a while now, there has also been a gradual move towards DevSecOps to integrate security in the mix as well.

Since shift left security enables collaboration between developers and security teams, shifting security left often comes up in the context of conversations about DevSecOps.

Shift left security is, in fact, a cornerstone of DevSecOps strategy and helps operationalise it. While DevSecOps is an organisational model to guide their approach to security, shift left security is a specific strategy in that direction.

Adoption of new security paradigm

A shift left strategy requires organisations to rethink their approach to security and clearly define security policies. It needs an organisation-wide look across the development lifecycle as well as individual business units. Of course, it is vital that such implementations are piloted in smaller projects to understand the approach and adopt to the challenges before an organisation wide deployment.

Since the strategy also impacts the company culture, it is imperative for the leadership at every level to ensure changes are appreciated and established. This also requires all stakeholders across the lifecycle to be security literate in their own capacity instead of being reliant on a set of cybersecurity experts.

The adoption of Shift Left security paradigm in enterprises has to take the three pillars of an organisation – technology, process, and people – into cognizance.

  • Technology: There is a need for integration of security tools with the CI-CD pipeline and the choice of the security tools should also be made with a goal of zero touch development and operations.
  • Process: The SDLC should be amended to allow inception of the security tasks and checks in the overall development and operation phases by adding more quality gates in the workflow and the KPIs for all stakeholders should be redesigned to measure the effectiveness of the secured SDLC process.
  • People: It is essential that organisations conduct periodic security trainings and awareness sessions for developers and managers and identify individuals with better security acumen to scale the model.

Adopting the Shift Left Security paradigm is a win-win situation for all

The shift left concept helps enterprises reduce the total cost of ownership (TCO) for developing and maintaining the applications. Additionally, since the security considerations are identified and planned for at the start, it also prevents any budget spillage later or delays in go-to-market due to compliance issues.

It helps early detection of risks and vulnerabilities which enables addressing those threats and their mitigation with minimal disruption in time without blowing up as a crisis in a production environment.

Adoption of the shift left security paradigm not only strengthens the cybersecurity maturity of the organisation to shield it from any potential attacks but also improves the information security awareness within the organisation which helps address the gap in availability of cybersecurity talent.

Shifting security left does not protect an organisation against myriad cybersecurity threats and risks, but it helps in easier and quicker detection and comprehensive mitigation of those. It is a win-win for both the developers and security teams as well as the business.


Please enter your comment!
Please enter your name here