A discussion of the need to not only shift security in the software development life cycle, but to incorporate security measures at all stages of development.
The secure lifecycle, or prevent-to-respond, idea applies in the real world as well. With security in the physical world, you need to understand basic safety measures and implement best practices – lock your doors, understand where the exits are and have a fire escape plan, put kids in nonflammable pajamas, etc. But that doesn’ t mean you can disable your smoke alarms or disband your local police department. With real-world security, just as with software security, you need to focus on the whole lifecycle – from plan and educate to prevent and respond.
It’s important to realize that vulnerabilities stem from different sources and will emerge at every stage of the software lifecycle. For instance, in many cases, vulnerabilities will be discovered in applications you already have in production. If you are able to block attacks on vulnerabilities, you can avoid downtime and fix during planned updates. In the end, neglecting software security in any stage will expose you to risk.
Shifting security left in the real world involves things like developing a fire escape plan. In the software security world, it involves threat modeling before any coding even starts, educating and coaching developers on secure coding practices and then enabling them to test for security as they are coding.
Shifting security right in the real world involves making sure your fire extinguisher works or since it’s summer and I’ ve got beach on the brain, picking a beach with lifeguards, even if your kids have had swimming lessons. In the software security world, it involves security testing completed code, whether it’s developed internally or externally, and implementing for apps in production. Just as software is not static, application security isn’ t either. Effective application security is not a one-and-done project, but an ongoing program that both prevents and responds to breaches at the app layer.
