A practical approach to understanding shift left security and how shifting security left can help teams achieve DevSecOps success. 

As a critical part of DevSecOps, shifting left has become a key aspect of the modern software development process. Traditionally, security was applied at the end of the software development lifecycle (the right side) and treated as an afterthought. As a result, the security checks and tests would often miss flaws in the code, such as vulnerabilities and misconfigurations, while also slowing down the software release process.

Now, to address these issues, CISOs and security leaders are implementing shift left security, enabling DevOps teams to scale faster while detecting and minimizing risks early on. With a shift left approach, security is applied proactively and early in the DevOps cycle, reducing the time and cost of software development and boosting application’s cyber hygiene, while facilitating CI/CD (continuous integration / continuous deployment.)

It requires a holistic approach to security, one that embraces cultural change and fosters collaboration among development, operation and security teams. By shifting left, organizations are putting security at the forefront of their business strategy and can therefore improve their overall security posture. 

Here, we’ll take a practical approach to understanding shift left security and why it’s a game-changer for DevOps.

What is shift left security? 

Over the last decade, the term “shifting left” has grown in popularity, becoming a buzzword in its own right among the DevOps community. But what exactly does it mean?  

Coined by Larry Smith in 2001, shifting left is an “approach used to speed software testing and facilitate development by moving the testing process to an earlier point in the development lifecycle. Shifting left is a reference to moving testing to the left on a timeline,” according to TechTarget. 

The concept of shifting left is all about prevention. It urges DevOps and security teams to be proactive rather than reactive, thus shifting the focus from a reactive state to a proactive one. Shifting left is an agile practice that offers early visibility into development issues, bugs and errors so that they can be addressed and resolved earlier rather than later. 

Traditionally, DevOps teams centered their efforts on agile development, pushing out products and releasing new features to get them to the market faster, but often without taking security into consideration, resulting in release delays, misconfigurations, undetected vulnerabilities and compliance violations. 

However, the concept of shifting left was introduced to combat the issue of “security as an afterthought,” by applying security earlier in the development pipeline rather than at the end. Therefore, with security applied earlier on, DevOps teams can remain agile while simultaneously boosting their organization’s security. 

Shifting left with DevSecOps

Shifting security left starts with DevSecOps. It requires organizations to embrace the DevSecOps culture, creating an environment where development, operations and security teams can thrive and work together to ensure that security remains the top priority. 

Traditionally, development and security teams operated independently of one another, working in silos to achieve business goals. Developers were responsible for writing code while security was responsible for identifying and eliminating vulnerabilities and risks. Consequently, this resulted in a disconnect between DevOps and security. DevOps viewed security as a hindrance to their ability to work at their desired speed, while security viewed DevOps as apathetic and unwilling to adhere to security guidelines and regulations. Therefore, a solution was needed that bridged the gap between DevOps and security, and the concept of DevSecOps was born. 

Now, CISOs and security leaders are implementing a DevSecOps approach in their organizations to ensure that all team members are sharing the responsibility for security. A collaborative culture is key for organizations transitioning into DevSecOps. Additionally, DevSecOps enables security to become an ongoing conversation, helping to establish a strong security culture within the organization. With security now seen as a “shared responsibility” rather than just the onus of the security team, organizations can implement shifting left as a part of their security strategy. By involving DevOps teams in security, teams can ensure that any security concerns are addressed while applications are being developed rather than after they are deployed. 

Best Practices for shifting left 

The hardest part of shifting left is related to culture and collaboration, but there are a few best practices that DevSecOps teams can implement to shift left successfully: 

1. Adopt a test-driven development approach 

Test-driven development is centered on shift left testing in the coding phase. It if focused on improving the quality of the code that developers are writing while creating unit tests. TDD addresses the intent or the “why” behind the code being written. With TDD, the quality of the code is enhanced and tested frequently to ensure that the code being written is executed successfully. Developers can write tests for the codes that they’re developing while thinking of various scenarios and solutions to help prevent bugs and other security issues from being developed in the code and discovered in the later stages of the development lifecycle. 

Implementing TDD can help DevOps team shift left better by enabling them to produce high-quality code at a faster rate and with fewer bugs and vulnerabilities. By adopting a TDD approach, teams can receive feedback to identify, eliminate and remediate issues early, therefore boosting the overall quality of the code and helping them focus on continuous integration and delivery.  

2.  Embrace test automation 

Test automation is key to supporting DevOps teams working in agile environments. It enables DevOps teams to create a robust testing environment where tests can be run quickly and effectively while providing feedback on security issues, bugs, vulnerabilities and the quality of the code. By embracing test automation, security can be strengthened as it removes the need for “human interaction,” and it ensures that policies are enforced and maintained. Automation enables continuous integration and delivery by implementing automated unit tests into the pipeline. 

As explained in Tenable’s white paper “How to Use Auto-Remediation to Achieve DevSecOps,” automation is key to “reducing the manual workload of any process and is one of the reasons CSPM tools have found success.” For example, CSPM tools enable enterprises to proactively identify and eliminate any issues, such as misconfigurations and other vulnerabilities, by continuously monitoring security risks across the entire lifecycle. It works to provide unified visibility into cloud workloads to prevent cybercriminals from committing attacks. CSPM continuously scans and assesses cloud environments, surfacing potential threats ensuring adherence to compliance policies and reducing drift. However, if drift does occur, actions can be taken automatically to remediate it through automation. With that being said, it’s important for DevOps teams to have the right test automation tools in place such as CSPM and other security tools to help teams remain agile and reduce time to market. 

3. Find the right security tools 

Security practices, concepts and tools such as automation, security as code and infrastructure as code can be applied when shifting left. These reduce human errors and mitigate risks as security tests and audits are run to make sure that code is secure and that applications are performing as they should be. Through automation and defining security in the code and infrastructure, teams can identify any potential flaws and issues that may interrupt their release schedule for different products and features. Not only will this save organizations time and money, but it’ll also boost the organization’s security efforts leading them to develop a strong security culture. 

While shifting left, be sure to provide DevOps teams with the right DevSecOps tools so that they can look for any opportunities for improvements. Tools such as Static Application Security Testing Tool (SAST), Dynamic Application Security Testing Tools (DAST) and the Software Composition Analysis Tools are “developer-friendly” and can help developers write more secure code. With security built directly into the CI/CD pipeline, the quality of applications significantly increases and can accelerate DevOps. 

Shifting left with DevSecOps is the right approach and provides numerous benefits for the organization. 

Benefits of shifting left 

There’s a wealth of benefits that shifting left offers: 

1. Increased agility 

Perhaps the most significant benefit of shifting left is its ability to increase business agility and efficiency among the development, operations and security teams. By shifting left, vulnerabilities and other security flaws can be detected and remediated early on, reducing issues during the final stages of development and enabling teams to go to market faster. 

2. Reduced costs 

Shifting security left can significantly reduce costs by reducing the number of security issues that are detected after the software has been deployed in production, a stage at which remediation is much costlier and disruptive. The time and money that it takes to remediate those issues in production impacts DevOps teams’ ability to be agile and fast. 

3. Minimize risks 

A shift left approach increases the quality and security hygiene of code, yielding applications that have fewer vulnerabilities, malware, misconfigurations and other flaws. As a result, applications in production are at a lower risk for breaches. 

4. Build a security culture 

Shifting left can help organizations establish a strong security culture. Shifting left provides a wealth of opportunities for DevSecOps teams to put security at the forefront and take a holistic approach to security. This promotes strong collaboration among DevOps and security teams and provides plenty of opportunities for areas of improvement. A strong security culture is key to organizational success — and shifting left forces teams to take a more proactive approach to security. 

Learn More 

Read this blog: 3 Ways Security Leaders Can Work With DevOps to Build a Culture of Security 
Download the whitepaper: Using Auto-Remediation To Achieve DevSecOps 
To learn more about our capabilities, visit the Tenable.cs Product Page  

Read More

The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries.

This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.

The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….

[…]

The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.

This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.

As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.

As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

There’s a lot more in the blog post.

Read More

Four years’ worth of records were accessed during the data breach

Read More

This blog was written by an independent guest blogger.

Cybersecurity is a complex task that is never complete. It’s an ongoing proactive practice of securing, monitoring, and mitigating threats. It’s a constant cycle where threats and vulnerabilities are detected, teams investigate and mitigate any issues, then network cybersecurity systems are reinforced to combat the next potential threat. 

Business operations increasingly rely on numerous devices and digital tools to accomplish daily tasks. Laptops, smartphones, desktops, business applications, and software are used to protect sensitive data in an era of remote and hybrid working options. In today’s world, business endpoint security is an absolute requirement to prevent costly breaches. 

There’s no question that cybersecurity should be a number one focus for businesses that want to keep growing. But it’s challenging to improve and scale cybersecurity efforts in an environment that is constantly changing, with new threats and technologies constantly being developed. To make things worse, the cybersecurity labor crisis only intensifies. 

If your organization is struggling to maintain adequate cybersecurity personnel with the necessary knowledge and expertise to protect your organization’s most valuable assets, then look at these tips to help your company stay ahead of the cybersecurity labor crisis and keep growing your business. 

What is the cybersecurity labor crisis?

As the demand for cybersecurity services increases, the number of knowledgeable cybersecurity professionals looking for full-time employment dwindles. The US Bureau of Labor Statistics expects “IT security analyst” to be one of the top 10 fastest growing occupations over the next decade. Cybersecurity only accounts for 13% of the IT market overall, yet the amount of cybersecurity job postings is three times greater than other IT positions. 

2020 marked a significant shift as remote work became a reality in nearly every industry. This has led to increased cybersecurity needs as companies add numerous devices to their networks to accommodate remote workers. The result? Overworked technology professionals and IT teams. 

Despite the number of open cybersecurity positions, companies are having difficulty finding talent to fill in the gaps. Right now, it’s a workers’ game. Without adjusting to the needs of cybersecurity workers, businesses will be left without and could leave their networks vulnerable to damaging cyber-attacks. 

Tips to keep growing your business during the cybersecurity labor crisis

The past few years have pushed cybersecurity professionals to their limits. In one of the most in-demand industries, they experience heavy workloads, long hours, and limited flexibility. It’s no wonder that technology professionals are burning out and seeking work-from-home opportunities like freelancing, consulting, building their own small businesses, or working for competitors with a better offer. 

To overcome the cybersecurity labor shortage, companies must realign their business models to a customer-centric perspective. Instead of making business decisions purely for profits and productivity, companies should also improve their company cultures to enhance their employees’ work experiences. Here are some tips to help you stay ahead of the cybersecurity labor shortage and attract top talent to your organization:

Update your benefits package

Arguably, the first thing businesses should do is update their benefits package. The values of workers have changed since the onset of the pandemic. Cybersecurity professionals now seek flexibility and remote working options that allow them to more efficiently manage their work-life balance. 

Recent surveys reveal the benefits that employees want the most: 

95% want better health care benefits
71% value retirement benefits
50% need family leave benefits
29% expect a more flexible work environment

Businesses should also take a look at their compensation and benefits packages. If your competitors offer the same salary with more time off, better 401(k) options, and six months of paid parental leave, you can guess where valued employees might end up. Adjust the salaries of your cybersecurity professionals to reflect the value they bring to your company and open up your company to a broader talent pool. 

Seek out diverse talent

Job experts say that there are plenty of opportunities to bring new talent to tech positions like cybersecurity. The best way to do that is through diversity. DE&I has been a hot topic for organizations in light of recent social movements calling for equality across people of different experiences, races, and genders. But committing to seeking out diverse talent is more than just the right thing to do. It can also be a smart business move for companies that want to grow during the cybersecurity labor shortage. 

Although gender equality in the workplace has come a long way since the 60s, when women couldn’t even open a bank account, only 25% of cybersecurity professionals are women in 2022. 

Even more shocking, only 3% of cybersecurity professionals are Black. Subconscious bias plays a big part in how recruiters evaluate potential candidates, so companies should work toward more equitable recruiting practices. 

Organizations should also look at the diversity represented across their existing teams. Look for crucial skills in historically underrepresented groups such as minorities and people with disabilities. And provide plenty of opportunities for training, advancement and high-level positions for people with diverse identities. 

Leverage third party monitoring and support

Another great way to continue scaling your business is to leverage technology. There are many different types of software and managed services that help businesses maintain their cybersecurity ecosystem without an in-house IT team or to help fill in talent gaps. Digital tools that utilize automation, machine learning, and AI can help reduce the number of tedious processes that workers have to devote time to so that they can focus on higher-value activities. 

A great example of an application that helps mitigate security risks through intuitive tools and automation is Visualping. Website defacement monitoring tool makes it easy to track visual or code changes, as well as monitor links and other sensitive elements on your organization’s website. Instead of cybersecurity personnel monitoring changes 24/7, this streamlined application allows teams to get security alerts through text, email, Slack, and more. 

Invest in professional development

While spending money is the last thing that business owners looking to scale want to do, it is often the best way to ensure that you have all the resources necessary to level up. And when it comes to personnel, your investment can mean the difference between growing or lagging. 

Companies should invest in their current employees just as much as (if not more than) acquiring new talent. By providing education and cross-training for roles in your organization, you can arm yourself against the cybersecurity labor shortage. Programs such as one-on-one coaching, in-house training, and shadowing help your current employees upskill while on the job. And you build a team of talented cybersecurity professionals. 

Professional development is a great way to retain employees and improve their skills simultaneously. Organizations should outline clear career paths for each role and offer competitive compensation to attract driven individuals that are eager to learn. This gives your workers a goal to work towards, as well as builds a sense of ownership and loyalty among employees. 

Partner with higher education

Another great way to stay ahead of the labor shortage and enhance your operations is to develop partnerships with higher education and other industry-related programs. Top companies know this secret to success and consistently offer funding and resources in exchange for a direct funnel into cybersecurity positions. Companies can offer internships, speak at industry events, and recruit at universities to find unique talent that can help scale your business. 

There are many ways that organizations can get involved in the education sector. Look at your competitors and discover the ways that they are encouraging young college students to look into the field of cybersecurity or how you can create a direct funnel of talented individuals to your organization. 

Final thoughts

The demand for, and demands on cybersecurity professionals has left workers burnt-out, tired, and willing to leave their positions to seek out better opportunities on their own. Companies that want to keep growing their business are facing challenges as the cybersecurity workforce dwindles. According to a recent study, 57% of organizations feel the negative impacts of the cybersecurity labor shortage. To attract and retain knowledgeable cybersecurity professionals, companies need to develop new employment models that give workers the things they need to be satisfied and successful. 

Read More

It is often said that identity is the new perimeter in the world of cloud-native ecosystems and zero trust. Identity is inarguably at the center of everything we do in modern systems and it is key to facilitating zero trust architectures and proper access control. That said, running identity and access management (IAM) at scale can be a daunting task, which is why more organizations are adopting identity-as-a-service (IDaaS) solutions.

IDaaS has its pros and cons, but first let’s clarify what IDaaS is.

What is IDaaS?

IDaaS is a cloud-based consumption model for IAM. Much like everything else in today’s modern technology ecosystem, IAM can be offered as a service. While there are some exceptions, IDaaS is typically delivered via the cloud and can be offered as a multitenant offering or dedicated delivery model depending on the organizational requirements and the capabilities of the provider in question.

To read this article in full, please click here

Read More

After declaring cyber-war, Anonymous announced that the official Killnet site was offline

Read More