The limitations of shifting left in application security
In this Help Net Security video, Jacob Garrison, Security Research for Bionic, explains the limitations of shifting left in application security.
Key factors hindering the effectiveness of shifting left:
- Achieving 50%+ application test coverage is unrealistic, especially in microservices environments spanning hundreds of codebases.
- Security tests are intensive and long to run, resulting in bottlenecks that affect CI/CD pipelines; running all tests for code change rarely happens.
- False positives and security tests overwhelm engineers who often ignore findings.
- Security tests focus on specific components of code and not entire application architectures, resulting in missing risks relating to dependencies, data flows, and environment/application configurations.
- Not all application code or configuration change happens in the CI/CD pipeline – For example, hotfixes and patches are on-the-fly configuration changes in the environment.
- Production environments are impossible to reproduce in pre-production.