Skip to main content

Going beyond “shift left” to extend AppSec in all directions

Written by:
wordpress-sync/feature-datacenters-black

July 9, 2024

0 mins read

A week before RSA 2024, Forrester predicted which subjects and themes would come to the forefront of the conference. They emphasized that we’d see a focus on proactive security, defined as “a strategic approach to controlling security posture and reducing breaches through strong visibility, prioritization, and remediation.” 

I went into the conference with this prediction in mind. However, I was surprised by what I found. Sadly, I still saw many vendors focusing heavily on vulnerability visibility only, without touching on the other aspects of proactive security that Forrester mentions in the definition above. 

However, a proactive security approach is necessary for today’s security and development teams. Many of these teams are already feeling overwhelmed by the reactivity surrounding existing processes and must deal with blind spots throughout the SDLC.  Security teams end up focusing on the wrong issues and missing the most critical ones. They can also end up hindering development processes while leaving gaps open to unknown risks. A reactive approach also forces developers to deal with long lists of unprioritized alerts and overly rigid security measures. The industry’s growing focus on apps and increased usage of AI will only exacerbate all of these issues. 

Today’s teams need effective proactive security that incorporates strong prioritization and remediation instead of focusing solely on visibility. In addition, visibility itself needs to be focused on the right level — more at the level of assets as applications and not just an aggregate view of vulnerabilities.

But how do we, as an industry, move past this “visibility only” approach? Perhaps it’s about changing our mindset of what shifting left means. It’s not just moving security to happen earlier in a two-dimensional continuum of software development, but instead, taking a multi-directional approach to security. While at RSA, I started thinking about this concept in terms of a metaphoric compass. What if, instead of focusing on a leftward movement, we aimed to extend security in all directions: north, south, east, and west? 

Multi-directional application security

If we extend our application security into all of these metaphorical areas, we can gain better visibility and context of everything happening across the SDLC. Here’s how this approach could work:

North

Security teams use several application security testing (AST) tools across their AppSec program, such as static application security testing (SAST) and software composition analysis (SCA). Typically, they rely on a third-party solution to aggregate and analyze all of the vulnerability data coming from these separate tools and gauge the success of their program. 

However, many aggregation tools focus solely on vulnerability counts, meaning they miss crucial contextual information, such as holistic application and business context. To understand the performance of their application security programs over time, teams must go beyond the typical measurements, such as the number of vulnerabilities and time to resolve. Instead, they must look into valuable analytics related to the issues, coverage, and business-specific assets. Going north means taking a “bird's eye view” of the entire application and its context rather than seeing each vulnerability as an isolated issue.

South 

Development and security teams also need better context related to each security alert. We can think of this as the “south” direction of our multi-directional approach, as it means going deeper at every stage of development in terms of security context. Traditional risk ratings, such as the Common Vulnerability Scoring System (CVSS), don’t include all the data needed to truly understand how much/little risk a particular vulnerability poses to the organization and who is responsible for remediating the most pressing issues. 

Instead, teams need to understand the following factors related to every alert:

  • What is the business criticality of the application containing the vulnerability?

  • Are there any other factors that influence the criticality of the vulnerabilities (e.g., cloud infrastructure security that provides added protection for the code in question, etc.)?

  • Which user generated the code in question and is best positioned to fix errors?

  • What type of asset contains the vulnerability? This information can help development teams identify the best way to fix the issue.

East

To gain a better picture of risk, organizations must also focus on runtime security — the “east” direction of our approach. This context helps security teams understand which code the application uses at runtime and which assets pose little to no risk because they aren’t used in the app’s running state. This runtime context helps teams narrow down the list of vulnerabilities even further, as it removes any false positives around vulnerabilities that pose no threat to the running application. 

West (i.e., left)

The industry has already been discussing the shift left approach to security for some time. However, this commitment to fixing issues early in the development lifecycle must evolve with changing development processes. The definition of “left” will continue to evolve, and security teams must adjust their tooling and processes to align with whatever the development teams use.

For example, today’s security teams are finding that they must move faster because developers are using AI code assistants to generate code at an unprecedented speed. To shift left in a way that works with these development changes, many security teams use AI security tools to secure this rapid explosion of new code without slowing down developer innovation.

Snyk’s approach to multi-directional security

Here at Snyk, we’ve created an application security approach that covers all four directions. This multi-directional strategy has led to successes for our customers, such as improved developer productivity and overall risk reduction.

Our latest application security posture management (ASPM) offering, Snyk AppRisk Pro, introduces better risk detection and prioritization features with enhanced runtime intelligence, added integrations with development platforms, new compatibility with secret detection tools, and comprehensive data analytics capabilities. 

Find out more about Snyk AppRisk Pro today.

wordpress-sync/feature-datacenters-black

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.