👋 Good morning, Cyber Pros!

This week’s issue brings you:

• Everything you need to know about Shift Left Security

• How to have more productive conversations on AI Security

• Free learning resources

Let’s dive in!

Read time: 5 mins

Shift Left Security

‘Shift Left Security’ is a cultural shift for organisations and the way they approach development. Put simply, it’s all about embedding security as early as possible in the software development lifecycle (SDLC), allowing developers to address misconfigurations and vulnerabilities as early as possible.

(This isn’t to be confused with Shift Left Testing, which is focused on scanning and testing to ensure software quality. Whereas Shift Left Security is all about secure coding practices and guardrails to empower developers.)

Stay with me whilst I answer these 4 questions for you:

• What is Shift Left trying to achieve?

• What are the key challenges?

• What tools can be used to help embed this culture?

• What does Shift Left look like in AI?

Background

I wanted to write on this topic after seeing it cause a stir in public forums. Whilst it seems sensible to me, there is some confusion around how this works in practice.

Example:

There are 119 comments in the above post. Here are some snippets:

• ‘It dramatically slows down product time and increase costs’

• ‘It’s not the devs responsibility! They’re doing security’s job’

• ‘Things like testing, privacy by design and default, security, all shift left in the process, instead of trying to bolt it on at the end of the process.’

• I don't get why people don't understand this more. It's not a term to mean removing people, it's just making people think about these things earlier.’

With this in mind, allow me to clear the air on this topic.

Reasons companies are Shifting Security Left:

1. Reduce remediation costs - address misconfigurations and vulnerabilities at the earliest possible stage before security ramifications grow.

2. Save time - I know you’re thinking it’s an extra step, but it saves far more time compared to the delays projects may experience from security issues being detected right before Go-Live.

3. Happy teams - automating compliance and security testing will improve the relationship between developers and security. Making processes smoother and more efficient ensures everyone’s requirements are met.

Hurdles to jump over to Shift Security Left:

The benefits are clear, yet many companies are slow to move on this approach.

(Some studies report that less than 40% of companies have embedded security into their DevOps processes)

Shifting to a Security-First Culture

• Traditionally, engineering teams measure success by delivery speed and feature updates. However, a security-first approach demands new metrics focused on early vulnerability detection and swift remediation, incentivising proactive security measures.

• The lack of integrated processes and early involvement of Security exacerbates the disconnect between engineering and security teams. Early integration can bridge this gap and foster collaboration.

Tooling Fragmentation

• Security tools differ vastly from those used by developers, creating visibility gaps and hindering effective collaboration. Bridging this gap is essential for comprehensive risk management.

• Consolidating tools can streamline management and enhance issue resolution efficiency.

What tools can you use to shift security left?

Core tooling in the following areas allows Security to Shift Left:

• Static Application Security Testing (SAST): Utilises pre-scripted scans to inspect application assets, such as source code, configuration files, byte code, and binary files, to uncover potential security vulnerabilities.

• Dynamic Application Security Testing (DAST): Examines applications during runtime against key vulnerability sources, such as the OWASP Top 10, to identify potential security weaknesses.

• Runtime Application Self-Protection (RASP): Employs either an agent or linked library to detect and mitigate threats targeting individual applications in real-time.

• Interactive Application Security Testing (IAST): Integrates both DAST and SAST scanning methodologies to enhance precision in assessing application security.

Additional related tooling:

• Web Application Firewall (WAF)

• Software Composition Analysis (SCA)

• Secrets Scanning

• Container/Workload Scanning

• Cloud Security Posture Management (CSPM)

Having a different tool for each of these things is simply unmanageable and complex for security teams. It’s important to choose your toolset wisely considering cost, automation, and operational overhead.

My recommendations:

• Get visibility into common issues and misconfigurations.

• Employ a single security policy from build to runtime - define a unified source-to-production policy for your engineering and Security teams alike in order to break down tooling and organisational silos.

• Automation of security scans, tests, and policy enforcement are at the heart of shift-left security.

What does Shift Left look like in AI?

• Applying Shift Left to AI/ML involves extending its principles beyond developers to AI researchers and data scientists.

• Unlike traditional software development, AI practitioners work extensively with data alongside code. This shifts the focus from code vulnerabilities to potential weaknesses in data artefacts crucial for model development.

• The main difference is that identifying vulnerabilities happens even earlier, in the research phase. This is to ensure the integrity and reliability of AI models.

Conversations on AI Security

Trying to have productive conversations on ‘AI Security’ is challenging for many because it often sparks debate around defining what AI is, or it’s brushed off as a hype train that will lose steam.

I assure you, it isn’t going anywhere. 70% of cloud environments now use managed AI services showcasing widespread interest.

The easiest way to shape conversations is separate it into two areas:

• Security of AI

• AI for Security

This chart helps with that:

AI is where the cloud was 5 to 10 years ago: facing exponential adoption and growth but with little to no oversight or governance because security tools struggle to keep pace with the business.

I expect more regulations, more controls, more attack paths and more roles coming as security teams realise that upskilling alongside all their other responsibilities is a challenge.

Note: If this interests you, I recently set up a Reddit Community focused on the intersection of AI and Cyber Security. It’s for sharing insights and resources, as well as asking questions and having discussions on this growing domain.

Join us here.

Useful Resources (Recap)

• NIST Framework tool for those in GRC

• Learn Blockchain Security for free

• How to build home labs: basic, SOC, reverse engineer, digital forensics, pentester

• Free AWS Security Learning resources

• Cybersecurity Domain Roadmap

• Deploy Your Own Open Source SIEM this weekend for free

That’s a wrap!

If you found this newsletter valuable, please refer a friend who would benefit.