{"id":106430,"date":"2020-02-19T06:00:29","date_gmt":"2020-02-19T14:00:29","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=106430"},"modified":"2020-02-14T11:16:04","modified_gmt":"2020-02-14T19:16:04","slug":"cloud-3t-shift-left-security","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/02\/cloud-3t-shift-left-security\/","title":{"rendered":"The Three T\u2019s of Shift Left Security"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">To succeed in today\u2019s competitive environment, organizations need to aggressively cultivate innovation, velocity and economy: <\/span><i><span style=\"font-weight: 400;\">innovation<\/span><\/i><span style=\"font-weight: 400;\"> to continue to delight customers with new offers, <\/span><i><span style=\"font-weight: 400;\">velocity<\/span><\/i><span style=\"font-weight: 400;\"> to get there before competitors and <\/span><i><span style=\"font-weight: 400;\">economy<\/span><\/i><span style=\"font-weight: 400;\"> to protect margins.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In order to meet these imperatives, organizations have reinvented the way they create and manage application development and deployment, not to mention the runtime platforms that they run on.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The phrase \u201c<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/07\/4-practical-steps-shift-left-security\/\"><span style=\"font-weight: 400;\">shift left security<\/span><\/a><span style=\"font-weight: 400;\">\u201d seems to come with a full complement of broad statements and untested assumptions. The one I see most often is \u201cdevelopers don\u2019t care about security.\u201d This is demonstrably false.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Developers think a lot about software quality. When security is a key component of quality, they intrinsically care about security.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Shift Left Security: The Three T\u2019s<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Everyone wants to write good code, it\u2019s just that sometimes the definition of \u201cgood\u201d isn\u2019t as clear as it could be. Developers also need to be productive \u2013 organizations need to get from great idea to delighted customer as quickly as possible. So developers want to write good code, create great software and hit the next sprint.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If your strategy for shifting security left comes only with added responsibility, it\u2019s unlikely to improve developer productivity, joy or flow. To avoid cognitive overload and developer burnout, the shift needs to be accompanied by what I\u2019m going to refer to as \u201cThe three T\u2019s.\u201d\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Training\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Tools<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Teamwork<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4>Training<\/h4>\n<p><span style=\"font-weight: 400;\">Training is essential to enable developers to benefit from introducing security testing and practices early in the software development lifecycle.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Simply providing a dev team with a spreadsheet of discovered vulnerabilities, without the context needed to fix the identified issues and prevent them from reoccurring in the next feature implementation, is going to harm productivity, not help it.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Most developers are \u201clifelong learners,\u201d but they don\u2019t get the opportunity to learn secure coding and vulnerability remediation on the job. Fortunately, there are plenty of <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/services\/education\"><span style=\"font-weight: 400;\">training courses<\/span><\/a><span style=\"font-weight: 400;\"> available in a variety of formats to provide the skills and expertise your teams need to continuously improve application security posture.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4>Tools<\/h4>\n<p><span style=\"font-weight: 400;\">While tools are not the full answer, the right tools in the right form-factor can make the difference between simply <\/span><i><span style=\"font-weight: 400;\">wanting <\/span><\/i><span style=\"font-weight: 400;\">to improve security and actually implementing a successful security practice.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As development methodologies, application architectures and runtime environments evolve, the attack surface area evolves alongside them. Cloud platforms, infrastructure-as-code and programming languages that rely heavily on packages with nested software modules all provide opportunities to introduce vulnerabilities into an application.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, it\u2019s unrealistic to expect developers to become experts in AWS IAM policies, Kubernetes API admission control, Terraform best practices, and every NodeJS package their application uses, and still write great code with flow and joy. They need tools that <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/12\/cloud-native-security-platform-age\/\"><span style=\"font-weight: 400;\">provide automated expertise<\/span><\/a><span style=\"font-weight: 400;\"> that can slot into their existing workflows and provide usable feedback as part of the software development process.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4>Teamwork<\/h4>\n<p><span style=\"font-weight: 400;\">While we\u2019re supposed to leave the best until last, the reality is often that we leave the hardest until last. Teamwork \u2013 or really, collaboration, which sadly doesn\u2019t begin with a \u201cT\u201d \u2013 is the keystone of shifting left, but it can also be the most challenging piece.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While process and tools can be changed with comparative ease, mindsets and behaviors are harder to adjust. And without increased collaboration between security and development teams, much of the value of injecting security earlier into the software delivery lifecycle will be lost.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Shifting left doesn\u2019t mean that the development team should have a heavy new burden of complete responsibility for all security laid upon them. Nor can it mean that the security team should come in and dictate new procedures, controls and technology within the build and deploy pipeline.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While Mark Zukerberg might encourage you to \u201cmove fast and break things,\u201d a better mantra for shifting security left might be to \u201c<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/09\/cloud-default-aggressive-cloud-security\/\"><span style=\"font-weight: 400;\">move fast<\/span><\/a><span style=\"font-weight: 400;\"> but don\u2019t get hacked.\u201d Taking these two seemingly oppositional principles as your collaboration charter might give you a good place to start.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With this north star, the natural problem-solving nature of IT professionals can come to the forefront. Sharing responsibility for both security and velocity between teams is both a central DevOps theme and a powerful motivator of collaboration.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">With the right knowledge and tools in place, and with a shared imperative to accelerate the delivery of <\/span><i><span style=\"font-weight: 400;\">secure <\/span><\/i><span style=\"font-weight: 400;\">software, you significantly improve your chances of creating secure, high-quality software, and of hitting those sprint dates. You may even find your teams enjoy it.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can learn more about the proper tools in our on-demand digital summit, <\/span><a href=\"https:\/\/register.paloaltonetworks.com\/prisma-cloud-native-security-virtual-summit\"><span style=\"font-weight: 400;\">Cloud Native Security Live<\/span><\/a><i><span style=\"font-weight: 400;\">. <\/span><\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If your strategy for shift left security is just more work, you won\u2019t improve dev productivity, joy or flow. Learn the three components you need.<\/p>\n","protected":false},"author":663,"featured_media":106432,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[7009,6890],"coauthors":[7016],"class_list":["post-106430","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-30-days-of-cloud","tag-prisma-cloud"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/02\/30-days-of-cloud_cloud-transformation-1200x675-2.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/106430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=106430"}],"version-history":[{"count":2,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/106430\/revisions"}],"predecessor-version":[{"id":106445,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/106430\/revisions\/106445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/106432"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=106430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=106430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=106430"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=106430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}