“Moving Left” vs DevSecOps

“Moving left” refers to ordinary security teams involving themselves earlier in the development process to try to drive security. In theory, this leads to improvements in security by identifying and resolving vulnerabilities before the code is released.

However, “moving left” generates a culture clash between the cyber security experts, eagerly documenting vulnerabilities left, right, and centre, and the agile developers under pressure to deliver the features on their sprint.

We’ve seen examples where well-meaning security teams have flagged thousands of vulnerabilities (the record at the time of writing is over 9000!) to a bemused dev team that collectively shrugged and carried on with their day.

Dev teams accuse security teams of “not getting it” while security teams counter by pointing out that devs don’t care about the “less cool” stuff like locking down security and pointing to the serious consequences of a breach.

At its worst, this can silo security teams as an expensive afterthought (and nobody wants to be that in any business climate!) relegated to fixing problems and largely ignored unless there’s a major breach.

This makes “moving left” virtually impossible in organisations where products, systems, and architectures have already been developed and where security is considered to belong post-launch in production.

If Security Consultants see the visible light of the security world (with the very best able to work deep into the blue end of the spectrum), what we need is a special kind of animal that can work in the ultraviolet.

Introducing the DevSecOps “Security Engineer”: This rare beast doesn’t just work in the ultraviolet world of development, they thrive there. They often have development experience so can speak the same language as the engineering leads but they never forget the “Sec” in DevSecOps. Believe us when we say, this is an extremely specialist role to recruit, the snow leopard of the security world.

By putting the Security into DevOps you don’t “move left”, you start there. The security team and the developers work together to engineer security right from the get-go which has obvious benefits downstream on release and reduces the burden in the long run – work doesn’t need to be redone when a pen test exposes a vulnerability.

We often joke “We don’t do pen tests”. But pen testing is very much a tool in our toolbox. What we mean is that we’ve moved away from the “old-fashioned” approach of a one-off engagement where pen testers dump a 50-page pdf report, send an invoice, and wave goodbye – and we’re proposing a new approach.

What we do is Cyber Digital Protection. This includes pen tests, but more importantly, active and ongoing support to identify and triage problems and then engage to fix the vulnerabilities. In a word: partnership. That’s our offering in the visible light of cybersecurity. By working as partners, we operate as far left as we believe is sensible for traditional security teams.

When we have clients that want to bake in security, we bring in our dedicated DevSecOps Security Engineers. Rather than shifting left and working in the visible light, we begin way out in the ultraviolet where we collaborate with the developers and reduce the burden on Cyber Digital Protection.

DevSecOps is a welcome addition to the security spectrum for those that are able to integrate properly with dev teams. Instead of “moving left”, we work together from the beginning as an extension of your team. Then we can truly make security shine – without stealing the spotlight from anyone.