Chapter 2. Shifting Security Left
As modern software architecture and the software supply chain have become more sophisticated, security threats have also continued to evolve. High-profile attacks have shown that vulnerabilities can appear at any point in the software development lifecycle (SDLC). In 2020, threat actors gained access to the build system at a software company called SolarWinds, maliciously modifying software updates that were then distributed to customers. The same year, attackers compromised the upload script of a code-scanning tool called Codecov, giving them access to environment variables on customer machines. Attacks like these, which use a company’s supply chain itself to distribute malware, give threat actors access to infrastructure that belongs to the company’s customers. Detecting attacks after the fact is no longer a practical solution. Only by integrating security throughout the SDLC can organizations protect themselves and their customers.
DevSecOps: Shifting Security Left
Traditionally, security and other tests were relegated to the end of the software development process, after the design and build phases. Only at the end of the process was security tested, the results determining whether software was fit for shipment. Shifting security left means embedding security by design throughout the entire SDLC.
In traditional waterfall development, software follows a linear path from design to deployment. By contrast, the continuous integration and deployment ...
Get Shifting Left for Application Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
