Tech With Htunn
  • Blog Content
  • DevSecOps
    • understanding devsecops
    • shift left in devsecops
    • what is the different between SAST and DAST in devsecops?
    • what is software composition analysis (SCA)?
    • what is Software Bill of Materials (SBOM)?
    • dependency scanning in devsecops
    • what is continuous integration in devops?
    • what is continuous delivery and deployment in devops?
    • understanding containerization
    • container scanning in devsecops
  • Data Engineering
    • what is data engineering?
    • Medallion Architecture in Data Engineering
    • understanding DataOps?
    • Difference between ETL and ELT pipeline in Data Engineering
  • IAM
    • what is Identity and Access Management?
    • understanding microsoft graph api
    • what is SCIM in IAM?
    • Different between sp and idp initiated flow in saml?
    • what is the difference between OAuth-2.0 and OIDC?
    • Understanding PKCE in OAuth-2.0?
    • what is SCIM Streaming?
    • what is the meaning of Identity broker?
  • Cloud Architect
    • what is cloud archiect?
    • Understanding even-driven architecture?
    • what is cloud native architecture?
    • what is cloud native application?
    • Understanding web application firewall?
  • SRE
    • what is SRE?
    • Meaning of toil in SRE?
    • what is error budget in SRE?
    • Difference between SLA, SLO and SLI in SRE
    • Understanding MTTR in SRE?
Powered by GitBook
On this page
  1. DevSecOps

shift left in devsecops

Shift Left in DevSecOps refers to the practice of integrating security measures early in the software development lifecycle (SDLC), rather than addressing security issues at the end of the development process. This approach aims to identify and fix security vulnerabilities as early as possible, reducing the risk of security breaches and improving overall software quality.

Pros of Shift Left in DevSecOps

  1. Early Detection of Vulnerabilities: By incorporating security testing early, developers can identify and address vulnerabilities before they become more complex and costly to fix.

  2. Cost Efficiency: Fixing security issues early in the SDLC is generally less expensive than addressing them later in the process or after deployment.

  3. Improved Collaboration: Encourages collaboration between development, security, and operations teams, fostering a culture of shared responsibility for security.

  4. Faster Time-to-Market: Early security integration can streamline the development process, reducing delays caused by late-stage security issues.

  5. Enhanced Compliance: Helps in meeting regulatory and compliance requirements by ensuring security is a continuous part of the development process.

Cons of Shift Left in DevSecOps

  1. Initial Learning Curve: Teams may face a learning curve as they adapt to new tools and processes for integrating security early in the SDLC.

  2. Resource Intensive: Requires investment in training, tools, and possibly additional personnel to manage the increased focus on security.

  3. Potential for Overhead: Early and continuous security testing can introduce additional overhead, potentially slowing down the development process if not managed efficiently.

  4. Resistance to Change: Development teams accustomed to traditional workflows may resist the shift left approach, requiring change management efforts.

Example Using GitLab as a DevSecOps Platform

Scenario: A development team is building a web application using GitLab for their DevSecOps pipeline.

  1. Static Application Security Testing (SAST): The team integrates SAST into their CI/CD pipeline. Every time code is committed, GitLab runs SAST to analyze the source code for vulnerabilities. This allows developers to fix issues before merging code into the main branch.

  2. Dynamic Application Security Testing (DAST): Once the application is deployed to a staging environment, GitLab runs DAST to test the application for runtime vulnerabilities, such as cross-site scripting (XSS) or SQL injection. This helps identify issues that may not be visible in the source code alone.

  3. Dependency Scanning: GitLab scans the application’s dependencies for known vulnerabilities. This ensures that third-party libraries and packages used in the application are secure.

  4. Container Scanning: If the application is containerized, GitLab scans the container images for vulnerabilities before they are deployed to production.

By integrating these security tests early and continuously throughout the development process, the team can ensure that security is an integral part of their workflow, reducing the risk of vulnerabilities making it to production

Previousunderstanding devsecopsNextwhat is the different between SAST and DAST in devsecops?

Last updated 4 months ago