CIO opinion
CIO OPINION
“
SHIFTING LEFT
ONLY WORKS WHEN
DEVELOPERS GET THE
TOOLS AND ASSISTANCE
THEY NEED TO SUCCEED.
//////////////////
Paul Farrington, EMEA CTO, Veracode
Five key steps for
shifting security left
Failing to maintain
a secure digital
environment is an issue
that would dominate
conversations among
tech enterprises. Paul
Farrington, EMEA CTO,
Veracode, discusses
the practical steps
organisations can take
to make sure their
development and security
teams are working better
together to implement a
successful ‘shift
left’ process.
46
INTELLIGENTCIO
S
hifting security ‘left’ is about more
than simply changing the timing
of testing. When security shifts
to earlier phases of the development
lifecycle, it also changes who’s responsible
for conducting the testing and addressing
the results. Until recently, security testing
would take place late in the software
development process and then the results
passed back ‘over the wall’ to developers.
But with the rise of DevSecOps, finding
and fixing security-related defects is a
shared responsibility between security
and development teams.
Security testing has shifted further left
into the realm of the developer. The
development team now has the ability
and the responsibility to embed security in
the development phase, while the security
team has more input in the development
phase, focusing on goals and policy.
This is a significant change that requires
entirely new tasks, skills, priorities and
mindset. But there is a big obstacle to this
change: the fact that most developers
don’t have secure coding skills. The reality
is that most developers aren’t formally
taught secure coding practices and most
organisations do not offer this training for
development teams.
If you shift security left into developer
workflows without training and
guidance, it’s likely to introduce delays
in developer timelines and still produce
vulnerable code. Shifting left only works
when developers get the tools and
assistance they need to succeed. The
speed at which you receive security-
testing results is meaningless without
the guidance needed to address those
results. The following five steps can offer
that guidance:
www.intelligentcio.com