Shift left the right way: Practical security integration with Angela Wen | Beyond the Commit

Shift Left Security: Empowering Developers with the Right Tools

Key Concepts:

• Shift Left: Integrating security practices earlier in the Software Development Life Cycle (SDLC).
• Code Scanning: Analyzing code for potential vulnerabilities using tools like CodeQL.
• Pull Request: A request to merge code changes into a main branch, a key point for security checks.
• Autofix Engine: An AI-powered engine that suggests code fixes for identified vulnerabilities.
• Security Campaigns: Grouping and assigning similar security alerts to developers for efficient remediation.
• Secret Scanning: Detecting and preventing the accidental committing of secrets (e.g., passwords, API keys) into repositories.
• Push Protection: Preventing secrets from being pushed to a repository by scanning code before the push.
• Developer Experience (DX): Focusing on the ease and efficiency with which developers can use security tools.

Defining Shift Left in Security

Angela defines "shift left" as moving security considerations and practices earlier in the software development lifecycle. Instead of waiting until the end of the development process to address security vulnerabilities, the goal is to identify and remediate them as early as possible. This is analogous to the shift left movement in testing, where testing is integrated throughout the development process.

Challenges in Implementing Shift Left

Angela highlights two key challenges:

1. Lack of Security Expertise Among Developers: Developers often lack the specialized knowledge to identify and address all potential security vulnerabilities. They rely on security researchers and engineers for expertise.
2. Tension Between Feature Delivery and Security: Developers are primarily focused on delivering features, while security engineers prioritize code security. Security alerts can be perceived as roadblocks to feature delivery, creating tension.

Dan Shanahan adds that the ever-changing threat landscape and resource constraints within security teams are also significant challenges. Security teams need the people, funding, and business support to build high-quality security testing platforms.

Addressing the Challenges: Iterating on Shift Left

Dan Shanahan argues that shift left hasn't failed, but rather is being iterated upon. The focus needs to be on improving the developer experience (DX) by:

• Providing the right information in the right context.
• Avoiding unnecessary alerts that disrupt the developer's workflow.

Tools for Secure Code Development

Angela discusses several tools available to help developers write more secure code:

• Code Scanning with CodeQL: This tool analyzes code for vulnerabilities and provides alerts within the pull request experience. It uses the CodeQL semantic code analysis engine.
  • Pull Request Integration: Code scanning is integrated into the pull request process, providing developers with immediate feedback on potential vulnerabilities.
  • Suggested Changes: The tool provides suggested code changes to remediate vulnerabilities, making it easier for developers to fix the issues.
• Autofix Engine (AI-Powered): This engine uses large language models (LLMs) to generate code suggestions for fixing vulnerabilities.
  • Reduces "Blank Page Problem": The engine provides a starting point for developers, making it easier to address vulnerabilities even if they lack specific security expertise.
  • Commit to Pull Request: The suggested fixes are committed to the pull request, allowing for review and approval by teammates.
• Security Campaigns: This product helps manage existing vulnerabilities in repositories.
  • Grouping Alerts: Administrators can group alerts by severity or type of problem and assign them to developers.
  • Efficient Remediation: Developers can focus on fixing similar vulnerabilities in batches, making the process more efficient.
  • AI-Powered Fix Suggestions: The Autofix engine also works for security campaigns, providing fix suggestions for existing vulnerabilities.
• Secret Scanning with Push Protection: This tool prevents secrets from being committed to repositories.
  • Early Detection: It scans code before it is pushed to the repository, preventing secrets from ever being exposed.
  • Shift Further Left: This represents an even earlier point in the development lifecycle where security is addressed.

Key Takeaways and Conclusion

The conversation emphasizes the importance of delivering the right information about potential vulnerabilities at the right time. Push protection is crucial for preventing secrets from entering the codebase, while code scanning with AI-powered fix suggestions at the pull request stage empowers developers to address vulnerabilities effectively. The key is to create a culture of collaboration and trust between developers and security teams, ensuring that everyone is motivated to prioritize and address security vulnerabilities.