Shift Left vs Secure By Design
Picture this scenario: you hand your 2-year-old a piece of paper and a yellow crayon. The paper has a large empty circle printed on it. You tell your kid to color inside the circle and then you leave the room. When you return after the task is completed, you see that the circle is colored, but some strokes have spilled outside the circle in many places.
To ensure that she strictly colors within the circle the next time, you decide to check in on the progress midway through the assignment. You notice where she’s about to color outside the circle, and you guide her to avoid those areas. You’ve just shifted your inspection to the left in the overall project timeline. And in essence, this is what the Shift Left approach to cloud security is all about — moving the detection of vulnerabilities earlier in the SDLC.
But you notice that while you’ve managed to reduce the number of strokes spilling out, there are still some places where the crayon has already strayed outside before you stepped in. And you know that the moment you leave to attend to something else again, you’ll find that there will be more strokes spilling out.
Finally you sit with your child right from the beginning throughout the coloring session, guiding her whenever you anticipate a spill. Yet, you look away for a moment and there’s a chance of an error happening. Even though you’ve shifted your inspection as far to the left as possible, there’s still no guarantee of the circle being colored perfectly.
As a final solution, you add a new element to the coloring process. You hand them a piece of paper with a stencil clipped on it. The stencil perfectly covers the circle leaving no chance for a color spill, even if your kid tried to. Now you can leave your kid unattended and still get a perfectly yellow circle, with no spills whatsoever. You’ve just made the whole process error-free, by design. And this is what Security by Design is all about.
Well except that this was only for illustration and you should never do that to a 2 year old! Give them the full freedom to be creative! However to a general contractor who is building your house or a cloud engineer who is building your cloud resource infrastructure, you would rather give a stencil, a set of codes that limit the choice of materials the builder can use or the security choices the engineer can make so inadvertent mistakes are not made and they feel empowered with knowledge and expertise to make the choices and decisions within the frameworks and boundaries you lay out for them. That would be a solid implementation of security by design. Let’s move from analogies to the practical and understand both Shift Left and Security by Design in the context of cloud engineering.
1. The Emergence of the Shift Left Approach
Shift Left is an approach to software testing that requires testing earlier in the software development lifecycle. The shift left approach as applied to security prioritizes testing for security early and frequently in the development process. This is the equivalent of the second and third instances, where you monitor their progress while they are working on it. This allows you to catch mistakes early and make corrections. Everytime software testing including security testing is shifted earlier to the left in the development lifecycle there is a reduction in both the number of issues and the cost of remediating the issues, referred to as the “security tax”.
Shift Left approach however does not prevent the introduction of the issues in the first place.It also has its own challenges. It requires developers to run security tests before they push out individual codes. This can lead to potential delays in the development process as security testing may slow down the release cycle. Additionally, it demands a higher level of expertise from the developers and increases the complexity of their tasks. The "Security by Design” approach has emerged as a way to tackle these problems and balance security with speed, making you a cloud cheetah — fast, nimble, and strong!
2. The Need for Security by Design
Security by Design emphasizes building software or infrastructure that is foundationally secure. Going back to our example, clipping a stencil to the paper eliminates the possibility of mistakes on the child’s end. Similarly, with right designs and constructs, Security by Design ensures that there's no room for security flaws or mistakes when code is written or when infrastructure is deployed.
In this security-centric approach, the entire SDLC timeline is thoroughly pre-planned, prioritizing security before even a single line of code is written. The result? A seamless and robust security infrastructure that is ingrained in every aspect of the software development life cycle (SDLC). Security by Design fosters a proactive rather than reactive stance towards cybersecurity, aiming to prevent vulnerabilities from surfacing rather than merely identifying and addressing them after the fact.
3. The Way Forward
Security by Design represents a paradigm shift in how we approach software development and security. It is a holistic strategy that goes beyond mere detection and correction of vulnerabilities. By designing with the intent to prevent, detect, and remediate, Security by Design creates a resilient foundation that withstands the ever-increasing sophistication of cyber threats. It requires a deep understanding of potential risks, careful planning, and the collaboration of diverse teams, ultimately providing a proactive and comprehensive solution to the challenges of modern cybersecurity. As the digital landscape continues to evolve, organizations must shed the outdated methodologies of the past, embrace the agile mindset of a Cloud Cheetah, and secure their applications and infrastructure with foresight and intention. The Invi Grid Intelligent Cloud platform makes it easy to adopt these new paradigms of security and resiliency by design with confidence so customers can focus on innovation and signing new customer deals instead of worrying about cloud infrastructure, security and compliance.