Shifting Left to win the cybersecurity battle

In today’s hyper connected world, the key challenge for technology teams isn’t just about building state-of-the-art digital systems; it’s also about keeping them secure. With each new technology that’s adopted, the surface area for risk expands, making cybersecurity one of the biggest risk-management concerns today. In fact, a recent study by IBM revealed that the Asia-Pacific region retained the top spot as the most attacked region across the globe, and the losses arising from these cyber-attacks are significant. Globally, the average cost of a data breach is  $4.45 million, up 15% over the past three years. 

A fundamental reason why cyber risk has increased is because businesses aren’t proactively finding and fixing vulnerabilities. According to SANS Institute, only 9% of organisations say they detected incidents before an external notification via proactive threat hunting. With each line of new code, each update released, and every new integration, the potential for vulnerabilities grows. Traditional vulnerability management, while valuable, is reactive. By shifting left, businesses take a proactive stance as vulnerabilities are continuously addressed during the software development lifecycle, ensuring that the code itself is secure by design. 

A shift-left mindset
Shifting left requires a change in the developer mindset as it requires teams to take ownership of finding and fixing vulnerabilities while code is being written. The key challenges to embracing this methodology for many developers is a) getting out of the habit of throwing their code over the fence to security and DevOps teams to figure out the vulnerabilities, and b) a lack of built-in tools to help developers identify security threats as they code. Oftentimes, developers have to wait on an external factor to tell them when there’s a problem and identify what needs to be fixed. 

Considering security later in the development process is a common mistake to make, but ultimately, security is a recurring process that needs to be part of the entire development lifecycle, starting with the first lines of code. Continuous vulnerability management aligns more closely with the rhythm of software development, offering real-time, iterative, and proactive measures. 

Embracing a DevSecOps culture
Traditionally, engineers are tasked with software development while security teams are entrusted with finding and fixing vulnerabilities. While the priority for engineers is time-to-market, security often takes a back seat. With a shift-left strategy, businesses can embrace the DevSecOps culture, where security practices are built into the entire software development lifecycle. Through automation and simulating threats and incidents, teams will be better equipped to handle security incidents when they do occur.  According to IBM’s Cost of a Data Breach Report, the average savings for organisations that use security AI and automation extensively compared to organisations that don’t is USD $1.76 million.

A great way of doing this is adopting technology that integrates continuous vulnerability management into an observability solution. The primary function of observability platforms is to provide a proactive approach to troubleshooting and optimising software, so engineers can see not only that an incident has occurred, but dig down to discover why it has occurred. When integrated with vulnerability management, observability automates the process of proactively identifying potential security vulnerabilities in software applications and helps organisations understand the context of the vulnerability. In the fast-paced world of software development, where multiple deployments occur daily, vulnerability management ensures that security measures align seamlessly with the development process, which allows businesses to maintain an advantage.

Prioritising secure code
Developing a strong security mindset at every stage of the software development lifecycle is key. When software is secure by design, it’s harder for cyber adversaries to perpetrate attacks, and establishes a greater level of deterrence. 

Shifting left also ensures that organisations can prioritise their resources effectively, focusing on the most pressing vulnerabilities first, and ensuring the code at runtime is secure. By continuously assessing vulnerabilities in the software development process, it ensures risks are identified almost as soon as they appear, meaning that software changes don't introduce unnoticed risks, while minimising the risk of costly security breaches.

((The author Rob Newell is vice president, customer adoption, Asia Pacific and Japan, New Relic)

Rob Newell