You’ve undoubtedly heard the term “shift left” before and should understand it to mean the implementation of security testing earlier in the software development life cycle (SDLC). The BSIMM report, where this concept originated, intended for it to mean something more than simply shifting left; more broadly, it meant successful firms were moving their testing activities earlier, everywhere. “Shift everywhere,” then, is the practice of performing security testing as early as possible in every stage of the SDLC.
This year’s BSIMM11 report found this practice to be increasingly prevalent, with organizations adopting a “shift everywhere” mindset when it comes to perfecting and improving their software security initiatives (SSIs). Before we dive into activities you can do today, let’s expand upon the concept to be sure it makes sense on a basic level.
Imagine you’re cooking soup. As the cook, you’re the tester. The ingredients represent the elements (code/artifacts) that make up your soup (application).
In a more traditional AppSec SSI, you would taste the soup near its completion. But what if the flavors were off, a vegetable had been forgotten, or an ingredient was rotten or sour? The entirety of the soup would be tainted by this one element and require considerable work to repair.
In a “shift left” paradigm, you would taste the soup earlier on, ensuring it tasted good and ingredients weren’t forgotten.
As a “shift everywhere” cook though, you would taste your food throughout the preparation process, as good cooks do, allowing you to make adjustments along the way and ensure a high-quality end result. In addition to tasting, you would understand the characteristics and qualities of the ingredients—where they came from, and whether they were grown with pesticides or grown organically. You would inspect the onions before cutting them, ensuring they weren’t rotten, double-checking the recipe for portions and instructions. In essence, the shift everywhere cook checks/tests every available ingredient involved in making the soup, and all the contributing factors that go into producing those ingredients, as soon as possible.
So what are firms that are practicing shift everywhere doing? BSIMM11 found that “Industry-leading security teams are conducting security activities as quickly and reliably as possible. Continuous, event-based security telemetry throughout a value stream, rather than a single point-in-time analysis, should be adopted as a best practice.”
What does this actually mean for you? What can you do today?
- Know when to test: Work to ensure you and your team know when an artifact can be tested. This certifies that it’s tested as early and effectively as possible.
- Know how to test: Make sure your team knows the right kinds of tools and practices to use when testing an artifact. Using the wrong tools sets you back and allows for potential vulnerabilities and design flaws to sneak through.
- Know that it needs fixing: It’s imperative that the security team understands whether an artifact’s discovered flaws really need remediation. Confidence in actual needed work should be established before expending time and resources on the artifact.
- THEN do it: If the fix is indeed needed, work to address it, according to its priority, ASAP.
If you haven’t already read the BSIMM11, check it out here, to read more about how industry-leading firms are implementing the shift everywhere mentality and practice into their SSIs.