ShiftLeft Brings Security Workflows to DevOps Processes
ShiftLeft has updated its NextGen Static Analysis (NG SAST) tool to include workflows that are purpose-built for developers.
Company CEO Manish Gupta said the security workflows are designed to make it easier for DevOps teams to incorporate them within their application development and deployment processes. In fact, a survey of more than 165 developers, application security and DevOps professionals conducted by ShiftLeft finds 89% of respondents said the current disconnect between developers and cybersecurity teams is the biggest inhibitor of productivity.
The issue with rival static analysis tools is they were not designed from the ground up to incorporated into a DevOps process, said Gupta. As a result, he noted, security workflows are managed around application development processes rather than being incorporated within them.
The survey finds that most IT teams are performing security scans too late in the software development life cycle (90%) and when they do discover an issue they often lack any remediation guidance (88%).
Most existing cybersecurity processes can’t keep pace with the rate at which applications are being deployed. The survey finds nearly 70% of software development organizations are releasing multiple times per month or more, with 18% releasing at least daily.
Gupta said NG SAST overcomes that issue by automating code analysis during every pull/merge request. That approach enables developers to address security issues much the same way they do any other bug. Rather than having to wait on a report from an application security team, developers can remediate a security issue from within their development environment log before it ever shows up in a report, he said.
Productivity and application quality improves because vulnerabilities get fixed faster while the code at issues is still uppermost in the mind of the developer, Gupta said.
DevOps teams can also create build rules that accept or deny merges based on how many security vulnerabilities there are, he added. That capability prevents security flaws from become too deeply embedded within the build process before they can be more easily remediated.
Gupta said security scans are also run locally where applications are deployed, which means source code never has to leave the organization. That approach also eliminates the need for network and firewall architecture updates to access an external scanning service. It also reduces bottlenecks inside organizations that might need to do as many as 20 scans per hour, he noted.
Overall, Gupta said it’s not uncommon to see developer productivity increase by a factor of 40 because ShiftLeft NG SAST enables scans to be run instantly. The days when developers took a coffee break while waiting for a security scan to run are now over, he said.
Of course, the level of productivity gain for development teams that might be gained by embedding static analysis within the application development process will vary widely. However, given the fact that developers outnumber cybersecurity professionals by several orders of magnitude, it’s also readily apparent dedicated application security teams can’t keep up. Unless organizations give developers the security tools they need, any ambitions an organization may have about implementing best DevSecOps processes will remain largely a pipe dream.
By Mike Vizard