Secrets of 'shift left' success

The shift left movement is about bringing security into the software development cycle earlier through DevSecOps and other changes, yielding more secure software more quickly and at lower costs.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

When Delphix moved from selling only packaged software to also developing new Software-as-a-Service solutions, it found something lacking in the DevOps principles it had been following for years.

Company leaders noticed the absence of security and thought it, too, should be included in processes alongside development and operations.

So, as it moved into SaaS products about a year ago, the company decided to incorporate the security function into the development cycle and to embed it within the earliest stages.

“That changes how we build and deploy our software,” says Delphix CTO Eric Schrock. “When someone now wants to change code, there have been changes to how we review it and how we assess it for its security.”

Delphix is following the shift left movement, which advocates for bringing both security considerations and security expertise into the software development process earlier rather than leaving it to the final stages as had been the common practice for decades.

To make that work, Delphix is implementing DevSecOps, building on its DevOps practice by hiring new security professionals to work with its existing SaaS team and adding security tools and automation into the early development phases.

Rise of a movement

Both software vendors and enterprise IT departments have made security a priority. Consider, for instance, that Gartner Inc. is predicting that enterprise security spending will total $96.3 billion in 2018, up 8 percent from the 2017 figure – a rise it attributes to a growing awareness of emerging threats as well as increased regulation and the evolution of digital business.

Yet in many places cybersecurity remains a standalone function, where security concerns are considered as the last step in a software development or implementation project and where security measures are “bolted on” once all the other development work has been done.

The shift left movement is a reaction to that. Depicting software development as a linear process, the movement professes the belief that putting security on the left side of that line (i.e., earlier in the development cycle) produces a more secure product at a lower cost.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.