In the last few years of AppSec and DevOps, we've heard the calls to shift left. But how far left can we go, and is it really going to help eliminate exploitable bugs or scale your AppSec program? What if we consider a different direction, shifting right! Can a focus on shifting to the right be more effective in mitigating real-world threats and prioritization? In this presentation, I'll explore these questions and propose concepts that show why shifting right is right!
6. The DevSecOps paradigm that we are
all preaching is "Shift Security
Left" e.g. design and develop your
application with security in mind as
early as possible and integrate
security into CI/CD pipeline.
- Anonymous (Anonymous as in an AppSec person in
an AppSec Slack channel, not _ )
7. What is this shifting left?
An approach to software testing and system
testing in which testing is performed earlier in
the life cycle (i.e. moved left on the project
timeline). It is the first half of the maxim "Test
early and often." - Wikipedia
In the parlance of DevOps and security, a shift
left simply means that security is built into the
process and designed into the application at an
earlier stage of the development cycle. -
SecurityRoundtable
21. Why is this important?
● Moving to the cloud.
● Business drivers moving faster
resulting in app deployments
moving faster.
● Abstraction of infrastructure and
operations, e.g. PaaS & serverless, is
enabling faster app deployments.
Security needs to move fast too, it can
only move faster by shifting right.
22. Benefits
Visibility to understand the threats you’re
apps are actually facing, this becomes a
critical feedback loop to drive prioritization
of resources on the left.
Gives you an edge even with little resources -
delegate security monitoring and defend in
real time.
Visibility sharing helps build relationships
with developers.
Threat hunting.
23. One of the best approaches is to provide rapid feedback
to developers. In the land of application performance, we
found that running APM tools in production was a way to
help developers find places to optimize their code. This
created a feedback loop from production (the right) to
development (the left).
James Wickett ( @wickett)
https://labs.signalsciences.com/devsecops-security-shift-right
24. Attacks & Attack Locations
Incredible feedback for developer awareness and prioritization.
27. Correlations
● Attacks + anomalous responses
● Attacks + sensitive transactions
● Logins + anomalous sources
● Sensitive transactions + anomalous sources
● Automation (Bots) + user actions
● Automation (Bots) + high risk transactions
● Distinct changes in traffic patterns
By Tony Hisgett from Birmingham, UK - Dalek 1, CC BY 2.0,
https://commons.wikimedia.org/w/index.php?curid=18985947
28. Principle of Known Good
● HTTP structure / attributes
● App specific parameters
○ Headers
○ GET & POST
● Device specific parameters
○ Device IDs
○ User-Agent strings
○ Client software versions
Periodically change known good
30. Final Thoughts
You don’t have to shift left before shifting
right.
In fact, if you have limited resources or are
building a new AppSec program, I
recommend starting on the right first.
Let the right inform the left as you build out
your AppSec program.
Absolutely necessary for existing AppSec
programs to move faster.