Shifting Left and what it means for your organisation
With the changing needs of organisation to deliver applications and services at a faster pace, continuous integration and continuous deployment have been considered as the key to faster delivery.
DevOps adoption has become widespread to address the obvious advantage they provide organisations. With the increasing need for security to move at the same pace as the rest of the organisation, the need for security is met by DevSecOps. This concept uses the same underlying principles with the need for developers, operators, security researchers and business analysts all moving together and collaborating to build and deliver applications together.
With the CAMs model, coined by Damon Edwards and John Willis, DevSecOps can be understood as a practice that starts with a people first approach. CAMS stands for culture, automation, measurement and sharing.
Culture A faster moving, more flexible organisations tarts with the people in an organisation. These organisations focus on communication and bring multiple discipline together to break silos. When all disciplines in an organisation share responsibility, everyone understands the goals together. The pioneers of these concepts encourage a high trust culture where the people are empowered to learn and adapt.
Automation With automation embedded in every portion of a deployment process, failing faster becomes easier. This isn’t the ability to fail frequently, but rather, the ability to discover issues faster and address and build upon them. Automation also creates faster feedback loops and a mechanism to track delivery.
Measurement Metrics for how certain practices affect software delivery and security can then be used to inform decisions for the wider team. This even allows the business to measure velocity and adjust the goals and needs for the organisation as part of the delivery process. If the right metrics are available, risk and threat analysis can occur as part of the software development lifecycle.
Sharing DevSecOps relies on all portions portions of an organisation communicating and talking to each other. The culmination of a high trust culture, sharing becomes easier. The developers communicate with security directly to create feedback loops that increase visibility and provide insight organically
In simple terms, DevSecOps allows for security to be considered earlier in the development processes. This process is also referred to as “shifting to the left”. The adoption of these practices should reduce reliance on the core skills of the security team and layer the responsibility to allow for “defence in depth”.
The Federal Trade Commission’s public whitepaper highlights this.
When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant.
Further Reading
I’d highly recommend reading through some of Jez Humble’s work. “Continuous delivery” and “Accelerate” are must reads in my opinion. This also includes some of his published papers.
J. Humble and M. Joanne. Why enterprises must adopt devops to enable continuous delivery. The Journal of Information Technology Management
The sevsecops blog has a good diagram of where “shifting to the left” comes from. <– Shifting Security to the Left – devsecops
I’ve also found the FTC’s start with security paper a good business guide for security. https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf