IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

4 Ways Agencies Can Shift Left to Tackle Cybersecurity

By "shifting left," or moving testing as early in the app development process as possible, state and local cybersecurity teams can identify vulnerabilities and fix them before they become problems.

hands of software developer working on code, sitting in front of a laptop with two external monitors behind it
Adobe Stock/JutH@Photo
State and local governments are under siege from cyber attacks resulting in disrupted services and the compromise of public data. According to the FBI, ransomware remains a top vector, followed by phishing, remote desktop exploitation and software vulnerability exploitation.

As malware deployment and targeted tactics evolve, the FBI warns these attacks will continue, further endangering public health and safety and resulting in significant financial liabilities.

The imperative to secure state and local IT infrastructure illustrates the ongoing struggle technology teams are under to quickly develop high-performing, highly secure software and applications.

One approach CIOs, CISOs and chief privacy officers can embrace is “shifting left.” A shift left refers to moving software testing as early in the software development process as possible. This method ensures agencies — specifically DevOps teams — can identify security vulnerabilities, bugs and errors early on and fix them. The result? High-performing, highly secure software and applications, service delivery continuity, and higher public trust levels.

Here are four steps DevOps teams can take to successfully embrace the concept of shift left.

DEFINE THE SECURITY STRATEGY


To shift left, a new strategy must be determined with a set of principles developed for software delivery and security.

DevOps leaders must identify team responsibilities, formalize and implement processes to maximize security, determine what kinds of tests they will run and how often, and establish metrics for success. Teams should also identify and prepare for specific known vulnerabilities that could lead to issues (the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog is a good source).

Security needs to be a core competency for all organizations and processes, which is why a cybersecurity standard centered on people, infrastructure and software development is an ideal starting point. Align on strategy designed to help your organization create a more secure environment and build systems centered around transparency and maximum visibility.

UNDERSTAND THE DEVELOPMENT PIPELINE AND DEPLOYMENT PROCESS


As government organizations shift left, they must understand the myriad tools and processes involved in building and releasing software and applications. Only then can they begin testing in build pipelines, checking code validity and more.

One solution helping DevOps teams map and understand the technology at play in their pipelines is observability.

Observability ensures a single-pane-of-glass view across applications, databases and infrastructure — no matter how distributed — and is key to understanding application performance, user experience and dependencies across the environment. Some observability solutions incorporate live code profiling designed to automatically shine a light on potential user issues, security gaps or performance bottlenecks before any code is shipped.

IMPLEMENT SECURITY AUTOMATION


Automation is a powerful tool for streamlining software testing, for a couple of reasons. First, manual testing is time-consuming and can introduce errors. Second, the shift left means testing software as early and often as possible, which can quickly result in overloaded DevOps teams.

Tools designed to automate running tests can alleviate this problem. In addition to reducing the pressure on DevOps teams, automation ensures faster discovery and feedback related to any software code vulnerabilities. Deploying automation during the development cycle also increases software delivery times while ensuring fewer security issues are found later.

BUILD A CULTURE OF TRANSPARENCY


Observability, automation and modern technologies can unshackle government agencies from manual, time-consuming and risky software development processes. But the human factor in DevOps — specifically communication and transparency — is equally important.

One of the key tenets of DevOps is bridging the gap between development and production. Embracing shift left becomes much easier if appropriate team members are engaged early and often. Indeed, by prioritizing communication and transparency across the life cycle, DevOps leaders can ensure that team members understand how to test software and what vulnerabilities to look for.

Ultimately, by shifting left technology teams can improve application performance, reduce vulnerabilities, protect citizen data and win the security battle.

Scott Pross is vice president of technology at Monalytic, a SolarWinds company.