Integrating security in the early stages of the development lifecycle, otherwise known as shifting security left, is one of the hottest topics today. We hosted a roundtable discussion with over 70 of Glilot’s Advisory Board members, who are some of the world’s leading cybersecurity experts, to explore the topic together. We discussed what shift-left really means and its impact both culturally and practically.

Some of Glilot’s Advisors joining the discussion were Gerhard Eschelbeck-former CISO at Google and current Advisor for the International Olympic Committee, James Faxon-Deputy CISO at Marathon Petroleum, Les Correia-Interim Global Head of Application Security at Estee Lauder, Cuneyt Karul-Director of Information Security at Bluecat Networks, Christopher Zell-VP and Head of Information Security at Wendy’s, Guy Flechter-CISO @ Appsflyer, and Michael Cena-Head of Cybersecurity at A+E Networks.

Given the enthusiasm over the topic, we just had to share these insights with our readers.

What does it really mean to shift left?

When asking Gerhard Eschelbeck, former CISO @ Google and current Technology and Digital Advisor for the Tokyo Olympics about the shift-left movement, he explained what it really means: “There are many interpretations of “Shift-Left”, but most fundamentally, Shift-Left is intending to bring in security early in the development cycle.”

We couldn’t agree more-In fact, since the beginning of modern computing, there has been a clear separation between R&D and security, and hence, the teams. When thinking about application development, for example, the process usually began at the conception stage and moved through design, develop, build, and test, with security often being the last step prior to deployment. As you might imagine, this was costly both in money and time, and ultimately, increased organizational risk.

Guy Flechter, CISO at Appsflyer, agreed and further added that: “’Shift left’ is above all managing all aspects of your security efforts in your CI/CD pipeline and providing your Dev and DevOps team the ability to consume security in a self-service mode without the need to consume security resources.”

Moreover, Gerhard emphasized how the movement actually strengthens the security of an organization: “Learning from the success of the DevOps movement, Shift-Left introduces continuous security during check-in, build, and deployment cycles. Conducting frequent, smaller changes and detecting and fixing security issues early is one of the significant benefits. The overall outcome of Shift-Left is improved security.”

It seems that while the shift improves security, it also provides developers with greater benefits.

With Great Power Comes Great Responsibility… and Great Benefits

Some of the benefits of shifting left for both developers and security teams are:

• Reducing time on repair & maintenance of security issues and resulting in quicker time to deployment
• Reducing cost
• Maintaining software integrity and ensuring compliance with standards of software development
• Reducing risk and increasing overall protection for the organization

Sharing (Responsibility) is Caring

As developers and security teams enjoy the benefits of shifting security left, one of the most important cultural aspects to speeding the transformation is a mutual understanding that responsibility is shared.

Les Correia, Interim Global Head of Application Security at Estee Lauder agrees and says, “Raising awareness that security is a shared responsibility (everyone’s responsibility) is critical. Teams must be encouraged to believe that there is value in self-organizing, collaborative, cross-functional teams driven by common delivery mindsets.”

But how exactly should responsibility be shared?

Les says, “There are several techniques to reduce friction, such as establishing and training security champions in all areas of an organization and enabling cross-training across security, development, business, and operations to share knowledge and ideas.”

Les elaborated on how cross-training allows the teams to work through challenges together: “Aspire towards growing security practice communities to enable cross-training. Cross-training encourages integration across teams so that resources see the problem and solution through the eyes of others. E.g., by embedding a resource from the security team into the development team to learn how developers work through their challenges. Similarly, having operations and infrastructure engineers discuss with business analysts to obtain customer interaction requirements.”

Gerhard agreed with him and emphasized the CISO’s role as a change-agent in enforcing the cultural aspects of sharing responsibility: “CISOs and Security often get branded as a “bottleneck” in an organization. With the Shift-Left movement collaboration, removing silos, and development of a security culture is evermore important. Shift-Left is a great opportunity to change this perception by becoming a mentor/supporter of the development teams.”

In essence, the CISOs are provided with an opportunity for cultural impact, to change what has been a 20-year old perception of security into something different.

Best Practices to Shift Effectively

Some best practices on shifting left were also discussed, such as empowering developers to utilize tools that enable automated security testing at scale.

Michael Cena, Head of Cybersecurity at A+E Networks, says: “At A+E, we started with the QA team. We empowered them to perform web app scans as part of the QA process. They log the security issues in JIRA the same way they log a defect. This way, high severity issues get fixed before apps go to UAT.”

Mike also emphasized how this was beneficial for the developers: “ Once this started going well, developers saw that remediating security issues early didn’t impact deadlines like when the scans happened at the end of the process. We’ve been able to add security checks into other parts of the pipeline since then.”

To Summarize…

Glilot Capital’s Advisors explored how shifting security left results in greater organizational protection. The shift enables developers to have greater control as well as enjoy benefits, like quicker time to deployment. It also is an opportunity for the CISO to become a change-agent, providing an exciting chance to transform a traditional perception into a more innovative and forward-thinking one, with a huge potential for organizational impact.

• Lightlytics, who help DevOps and SecOps simulate configuration changes on the security posture of production before deployment and validate alignment with security standards
• Lightrun, who are shifting observability left
• Ermetic, who are doing shift left for identity and access governance by making it possible for cloud teams and security teams to work together seamlessly to manage access entitlements across their public cloud deployments.

A big “Thank You” to our Advisors who participated in the discussion.