AppSec Is Evolving from Shift-Left to Shift Everywhere
Test early is now test everywhere and often! There is no one-size its all, but finding the right tools for right job, at the right time. It's all about defense in depth.
“When increasing the speed and frequency of scans and prioritizing SCA tickets, we found enterprises that tightly integrate security testing within their CI/CD pipeline fix 91.4 percent of new issues.”
Shift-Left has affected not only where in the SDLC application testing and security is being implemented, but has also had a profound impact on who is responsible for security testing. Developers are increasingly becoming the primary drivers when it comes to the purchase and implementation of AppSec testing.
The reality is that business usually trumps security. Developers are incentivized to deliver functionality with as few bugs as possible, as quickly as possible. So, the trick is figuring out how to insert security into the developer pipeline to enable developers to fix vulnerabilities without slowing them down.
Seamless integration into every stage of the SDLC is continuing to become the norm for AppSec tools. AppSec teams continue to have less influence when it comes to tooling in the DevOps toolchain. As development organizations pushed back, many commercial vendors started to offer hyper-convenient scanning. Early offerings resulted in tools that found only a fraction of the vulnerability issues of a more robust AppSec tool, but the convenience and cost savings helped organizations check the compliance box.
The tug-of-war between convenience and robustness has pushed the entire AppSec industry toward tighter integrations throughout the software development lifecycle. As top-tier AppSec tools become “seamlessly” integrated into the CI/CD pipeline, we’re seeing the “shift left” mentality become a reality in organizations with mature AppSec programs. In fact, the “shift left” pendulum is swinging to “shift everywhere.” It’s really about finding the right tool for the right job, for better defense in depth.
Security has unequivocally become a critical component in DevSecOps. As vendors and tools mature, the integration and enabling experience is becoming table stakes. Quality of results and the enablement of fixing/reducing risks efficiently will once again matter more than just a quick scan/check of the box.