This series, and my blog, have moved! Check it out!
In all of the talks and articles I have ever written and all the advice I have ever given, I am always telling people they should “push left”. When security people say they want to “shift left”, they are referring to the left side of the System Development Life Cycle (SDLC), which is the way software engineers describe the methodology or process for making software. I say "push" because sometimes I am not invited to "shift".
If you look at the image below, the further “left” you look, the earlier you are in the process. When we say we want to “push left”, we mean we want to start security at the very beginning and perform security in every step of the SDLC.
You might be reading this and thinking “Of course! Doesn’t everyone do that? It’s so obvious.” But from I’ve seen in industry, I have to tell you, it’s not obvious. And it’s definitely not what software developers are being taught in school.
Top comments (5)
Would also add "time" as a reason why AppSec is hard. Devs are given X time to dev/test their work and then check-in. Writing code securely will initially take additional time and Product Management often isn't always willing to allow that extra time.
I agree, absolutely!
Educating the C level stake holders should be a starting point as they are the ones that enforce security is a priority. Devs and Managers will always work towards visible goals that they can demonstrate to stakeholders. Stakeholders need to be asking is this secure.
100%!
Just stumbled on this series & very excited to read it! Added it to my Trello board of my personal learning curriculum.
Thanks!