As malware deployment and targeted tactics evolve, the FBI warns these attacks will continue, further endangering public health and safety and resulting in significant financial liabilities.
The imperative to secure state and local IT infrastructure illustrates the ongoing struggle technology teams are under to quickly develop high-performing, highly secure software and applications.
One approach CIOs, CISOs and chief privacy officers can embrace is “shifting left.” A shift left refers to moving software testing as early in the software development process as possible. This method ensures agencies — specifically DevOps teams — can identify security vulnerabilities, bugs and errors early on and fix them. The result? High-performing, highly secure software and applications, service delivery continuity, and higher public trust levels.
Here are four steps DevOps teams can take to successfully embrace the concept of shift left.
DEFINE THE SECURITY STRATEGY
DevOps leaders must identify team responsibilities, formalize and implement processes to maximize security, determine what kinds of tests they will run and how often, and establish metrics for success. Teams should also identify and prepare for specific known vulnerabilities that could lead to issues (the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog is a good source).
Security needs to be a core competency for all organizations and processes, which is why a cybersecurity standard centered on people, infrastructure and software development is an ideal starting point. Align on strategy designed to help your organization create a more secure environment and build systems centered around transparency and maximum visibility.
UNDERSTAND THE DEVELOPMENT PIPELINE AND DEPLOYMENT PROCESS
As government organizations shift left, they must understand the myriad tools and processes involved in building and releasing software and applications. Only then can they begin testing in build pipelines, checking code validity and more.
One solution helping DevOps teams map and understand the technology at play in their pipelines is observability.
Observability ensures a single-pane-of-glass view across applications, databases and infrastructure — no matter how distributed — and is key to understanding application performance, user experience and dependencies across the environment. Some observability solutions incorporate live code profiling designed to automatically shine a light on potential user issues, security gaps or performance bottlenecks before any code is shipped.
IMPLEMENT SECURITY AUTOMATION
Automation is a powerful tool for streamlining software testing, for a couple of reasons. First, manual testing is time-consuming and can introduce errors. Second, the shift left means testing software as early and often as possible, which can quickly result in overloaded DevOps teams.
Tools designed to automate running tests can alleviate this problem. In addition to reducing the pressure on DevOps teams, automation ensures faster discovery and feedback related to any software code vulnerabilities. Deploying automation during the development cycle also increases software delivery times while ensuring fewer security issues are found later.
BUILD A CULTURE OF TRANSPARENCY
Observability, automation and modern technologies can unshackle government agencies from manual, time-consuming and risky software development processes. But the human factor in DevOps — specifically communication and transparency — is equally important.
One of the key tenets of DevOps is bridging the gap between development and production. Embracing shift left becomes much easier if appropriate team members are engaged early and often. Indeed, by prioritizing communication and transparency across the life cycle, DevOps leaders can ensure that team members understand how to test software and what vulnerabilities to look for.
Ultimately, by shifting left technology teams can improve application performance, reduce vulnerabilities, protect citizen data and win the security battle.
Scott Pross is vice president of technology at Monalytic, a SolarWinds company.