The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

SANS report: Securing the shifting landscape of application development

Charlotte Freeman

Apr 03, 2024 / 2 min read

Major shifts in application development are creating new and significant security risks. Continuous integration/continuous delivery (CI/CD) pipelines and technology advances like automation and AI mean the development process is now so complicated and fast-moving that corporations, DevOps directors, and security groups struggle to understand and manage it, let alone defend it from assaults. The recent SANS organization white paper, “Shift Left to Shift Everywhere: Continuous Development’s Impact on Security,” offers a fascinating glimpse into the state of DevSecOps and presents a comprehensive analysis of survey demographics, key findings, and critical focus areas.


The expanding attack surface

The white paper explores how ongoing changes in the development process can introduce complexities that make establishing security practices difficult and inconsistent, even for experienced security practitioners. Some issues that challenge DevOps security programs are

  • Insecure access controls
  • Poor credentials management
  • Vulnerable software dependencies
  • Unsecured development pipelines and supply chains
  • Lack of visibility into the end-to-end DevOps process

It’s important to recognize how damaging a security failure in the DevOps process can be. Developers work on projects that affect internal users, external partners, enterprise customers, end users, and other third parties. This dramatically extends the potential impact of a security failure—malicious, weak, or vulnerable code introduced in development can end up literally anywhere in the enterprise. And if that bad code remains undetected, it’s likely to end up in the final product.

The urgency to shift everywhere

A new approach to securing the software development life cycle (SDLC) is urgently required—one that applies continuous testing to continuous development. “Shift Left to Shift Everywhere: Continuous Development’s Impact on Security” dives deep into how to accomplish this, including ways to identify, remediate, prevent, and mitigate threats and vulnerabilities across every step of the development process. And this necessitates building on, and moving beyond, the widely employed “shift left” security framework to an approach that’s increasingly being called “shift everywhere.”

In a shift everywhere approach, it’s important to instill an awareness of the critical roles developers and many other stakeholders play in security, and then to cultivate their security skills to quickly fix or preclude risks. By embracing this paradigm shift in application development, enterprises can prioritize security without compromising agility and innovation. A proactive DevSecOps approach, characterized by continuous testing, collaboration, and advanced technologies, is essential to safeguarding digital assets and maintaining trust within the development ecosystem in your organization. By embracing DevSecOps principles and leveraging innovative technologies, organizations can navigate the complexities of modern development while safeguarding against emerging threats, ensuring a secure and resilient digital future.

Implementing DevSecOps technologies

“Shift Left to Shift Everywhere: Continuous Development’s Impact on Security” discusses how organizations can implement key technologies such as static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST), dynamic application security testing (DAST), and runtime application self-protection (RASP) to fortify the SDLC. These tools, integrated into CI/CD pipelines, facilitate early detection and remediation of vulnerabilities.

Whitepaper

Shift Left to Shift Everywhere: Continuous Development’s Impact on Security cover thumbnail

Shift Left to Shift Everywhere: Continuous Development’s Impact on Security

Continue Reading

Explore Topics