Be proactive! Move security validation to the left


“Shifting (security)” links approach in Software Development Life Cycle (SDLC) means that you start with security earlier in the process. When organizations realized that software never works out perfectly and is full of many exploitable holes, bugs, and vulnerabilities in business logic that need fixing and patching, they understood that building secure software requires incorporating and consolidating countless resources.

This conclusion prompted DevOps and R&D leaders to become proactive and purchase technology to find and close these gaps ahead of time, with the goal of reducing cost and effort while improving the quality of their results.

With emerging comprehensive continuous security validation technologyThe proven benefits of shifting left as a fundamental part of SDLC can now be applied to your cybersecurity program with results that far exceed the purely technical aspects of security posture management.

At the developmental level, the conceptualization of SDLC is the result of the convergence of numerous schools of thought to optimize the process. From a cybersecurity perspective, the same convergence process of thoughts led to the concept of rolling out a continuous security assurance program through the basics of Comprehensive Security Attitude Management (XSPM) technology.

The Security Attitude Management Lifecycle

Like SDLC, XSPM was born out of the need to consider the entire security posture management lifecycle, including validation from an offensive perspective. Since the term ‘shifting left’ was coined, a plethora of detection and response solutions have emerged that can be integrated into the CI/CD process. But even if a perfectly integrated and optimized advanced detection and response tool stack is postulated, it will still suffer from a structural flaw. Detect and respond is a reactive approach that leaves the initiative in the hands of the attacker and assumes the ability to detect all attacks.

In reality, the increasingly dynamic nature of the cyber threat landscape and the asymmetric nature of cyber defense – an attacker only needs to succeed once, while defenders must block every single attack – mean that it focuses solely on the reactive detection and response approach similar to the fighting of the last war. It’s time to make a further shift to the left towards integrating a proactive continuous security validation process.

XSPM encompasses all elements of continuous security validation and organizes them into a four-stage lifecycle: assess, optimize, rationalize, assure.

The ‘Assess’ step consists of launching a wide range of attacks that cover the attack kill chain from start to finish. The “Optimize” step identifies misconfigured security controls, allowing them to be optimized to compensate for often unpatched CVEs and reduce the IT team’s patch workload. The ‘Rationalize’ step evaluates the effectiveness of the detection and response tool stack, provides detailed information to improve their configuration, and identifies overlapping tools and missing capabilities. The final step, ‘Assuring’, involves a dynamic analysis process that can be customized as needed and can be used to visualize security trends over time.

Productivity over security, let’s make security productive

The optimization of cybersecurity programs, enabled by the XSPM framework and technology, makes better use of the funds and resources invested in cybersecurity. Reducing overlap, minimizing the patch period, prioritizing workload, setting KPIs, and other benefits come directly from integrating security early rather than afterwards.

To achieve this combined optimization of resource allocation and security attitude, security and risk management leaders must first establish a recognizable, validated baseline. With data coming solely from a detection and response array, the reality is a non-optimized sequential process that pushes the proactive security validation step to the back of the queue and results in thwarting locked-in DevOps and SOC teams. Misaligned goals between teams leads to a chaotic flow of conflicting information that hinders the decision-making process, slows operations and potentially leads to unsecured deployment.

Combining the two for secure software – the benefits of baking XSPM in SDLC

When security testing doesn’t begin until the end of the SDLC, deployment delays due to critical security gaps discovered cause rifts between DevOps and SOC teams. Security is often pushed to the back of the line and there isn’t much collaboration when introducing a new tool or method, such as occasionally launching simulated attacks on the CI/CD pipeline.

Conversely, once a comprehensive, continuous security validation approach is baked into the SDLC, daily emulations of attack techniques via the automation built-in XSPM technology can identify misconfiguration early in the process, encouraging close collaboration between DevSecOps and DevOps. With built-in collaboration across both the security and software development lifecycles, working with immediate understanding of security implications, aligning the goals of both teams eliminates past conflicts and frictions that arose from internal politics.

Creating Exponential Results

By shifting to the extreme left with comprehensive continuous security validation, you can begin to map and understand the investments made in various detection and response technologies and implement findings to prevent attack techniques throughout the kill chain and deliver real functional requirements to protect.

The process equips IT teams with everything they need to identify opportunities that strengthen and stabilize security management from the outset, avoiding costly implementation delays and minimizing the risk of successful breach attempts, while SOC -teams obtain accurate data on which to build a threat-informed strategy.

How will you be proactive about your company’s security posture today?

Remark – This article was written and contributed by Ben Zilberman – Product Marketing Director at Cymulate