Over 81% of developers knowingly ship vulnerable code regularly.
This preventable behavior creates unnecessary business risks and can result in reputational and financial losses.
And while it may be tempting to blame developers for vulnerabilities, the reality is that organizational culture plays a massive role in the lack of security prioritization in the software development lifecycle (SDLC).
During a recent webinar, I sat down with Robert Klentzeris, the Senior AppSec Engineer at Immersive Labs, to explore the five most common reasons shifting left fails – and how to overcome these challenges.
1. Pressure to Ship Outweighs Security
In a world committed to fast delivery, developers are faced with enormous pressure to ship code quickly. With changing deadlines and high-growth business demands taking precedence, integrating security protocols throughout every step of the SDLC can become an afterthought for both leaders and developers.
This mindset can drive innovation in the short-term, but at what cost? When speed is prioritized over security, everyone risks big losses. At the same time, initial speed that leads to vulnerabilities requires more re-work that slows down development in the long-term.
2. Existing Bugs Slow Processes
Legacy security issues that demand intensive fixes can monopolize what little free time developers have. Consider the much-publicized Log4Shell vulnerability – given the massive amount of third-party users and dependencies, a single vulnerability morphed into exponential vulnerabilities, demanding laborious fixes that consumed security and developer schedules across some or the largest enterprise corporations in the world.
While the Log4Shell vulnerability is an extreme example, vulnerability fixes with less dependencies still substantially slow development work – and make implementing new security practices challenging, given their time-consuming nature.
3. Disconnects Between Managers and Developers
Only 27% of developers view security as a critical component of their jobs, while 80% of managers view it to be paramount to their direct reports’ roles. These statistics alone underscore the dissonance between perceived role responsibility when it comes to developers and managers.
More often than not, managers may have an unrealistic perception about the level of security rigor applied during the development process. This results in a conflicting reality between how much time should be dedicated to vulnerability management.
4. Communication Breakdowns Across Teams
Shift left practices also break down around communication between development and security teams. Different teams often have conflicting priorities, which can lead to vulnerabilities going unnoticed and uncommunicated. This lack of an open dialogue can have far-reaching security ramifications that can impact the business as a whole.
This lack of alignment isn’t unique to development and security teams. In fact, executive team leaders like chief financial officers (CFOs) often prioritize increased profit over increased security, which creates an issue of prioritization from the top down. This convoluted communication makes shifting left impossible, as there is no standardized approach or goals.
5. Sporadic, Ineffective Training
Even when organizations have the best intentions around shifting left, traditional training is woefully inadequate. For busy developers, the idea of interacting with stagnant training material or classroom learning is at the bottom of their priority list. This results in a lack of desire to further skill sets as the associated material is dry and unengaging.
To further complicate training, organizations often use the sheer existence of training materials as proof that their organization must be secure. However, without the correct exercises and benchmarking methods in place, actual proof of security capability is impossible to come by.
Shifting Left Done Right
While shifting left may seem daunting, it doesn’t have to. Organizations can take actionable steps toward mitigating the five issues addressed above.
To truly shift left, leaders must look inward to their organizations as a whole and prioritize a culture that underscores the importance of cybersecurity across all teams and departments. This shift in mindset will result in a collective responsibility, rather than one that is leveraged on the shoulders of the development and security teams.
Once this ideology has been adopted, organizations must reassess their training methods, as traditional classroom training does not reflect the way adults learn. By employing dynamic, hands-on methods, organizations can engage employees from developers to designers to ensure that skill sets are met, measured, and maintained.
To learn more about how your organization can shift left successfully, watch the webinar here.
