Or what does shifting security to the left mean
These days I am using my free time educating myself about cybersecurity and focusing on the Dev**Sec**Ops practices (boldly on the Sec part of it, no pun intended, lol).
As part of the process, I am reviewing the NIST and OWASP frameworks. One updated area of focus in the OWASP from 2017 to 2021 is Insecure Design.
What is insecure design?
Insecure design is a flaw that can subtly affect many aspects of your work. This vulnerability is tied to how you design programs, architect solutions, and apply security practices like threat modeling. Insecure design can manifest in numerous ways. Ignoring these considerations can result in flaws that jeopardize your organization’s security, such as compromising sensitive data or granting privileges that can be misused. Ranked #4 on the OWASP Top 10, this is definitely an area to address in your daily development tasks.
This is an examples for insecure design (Derived from OWASP document, here)
Scenario #1: A credential recovery workflow might include “questions and answers,” which is prohibited by NIST 800–63b, the OWASP ASVS, and the OWASP Top 10. Questions and answers cannot be trusted as evidence of identity as more than one person can know the answers, which is why they are prohibited. Such code should be removed and replaced with a more secure design. ## **What is insecure design?
Shifting Security Left: One way of addressing insecure design
Understanding the Shift Left Security Paradigm
The traditional approach to cybersecurity often involved addressing security issues towards the end of the development process. However, this method has proven to be inefficient and costly, as vulnerabilities detected late in the cycle require significant resources to resolve. Shifting security to the left involves incorporating security measures and testing right from the planning and design phases. This means that developers are equipped with the necessary tools and knowledge to anticipate and mitigate security risks as they build software, rather than retrofitting security after development.
The Role of DevSecOps in Shifting Security Left
DevSecOps plays a pivotal role in the shift left security strategy. By integrating security practices within the DevOps framework, DevSecOps fosters a culture of collaboration and shared responsibility for security among development, operations, and security teams. This approach ensures that security is not an afterthought but a fundamental part of the development process. Through automated security testing, continuous integration and delivery pipelines, and real-time monitoring, DevSecOps enables organizations to detect and address vulnerabilities swiftly and efficiently.
Conclusion
Shifting security to the left is a transformative strategy that redefines how organizations approach cybersecurity. By embedding security practices early in the development lifecycle and fostering a culture of collaboration through DevSecOps, organizations can significantly enhance their security posture. Also by having security measure by design we can address the flaws in the security early on and avoid costly practices towards the end.
Leave a Reply