This blog post is where I remember first reading about the concept of shifting security left. "Shifting left" or "pushing left" means integrating security early in the development process. This saves time because code doesn't have to be remediated later one after an security review.
One light-weight way I've found of integrating security into the conversation is by asking questions about two topics: data and access.
When writing the stories or units of work ask:
- Is there DATA that needs to be protected?
- Is there ACCESS that needs to be protected?
It might be that a story / work involves both, only one, or neither of these, but by intentionally asking the question, you can ensure it is being considered and addressed.
a ritual where the pair working on the story and some other members of the team - sometimes teams require QA to be there, sometimes it's just a third member of the team - ensure that there's a mutual understanding of the work that needs to be done and what the criteria is for deeming the work complete
In this conversation, ask one or both of these questions as it applies to the work:
- How WILL we protect the data?
- How WILL we protect access?
a ritual where the pair that worked on the story, the QA, and possibly other members of the team - sometimes teams ask that other stakeholders be included - walk through the work to make sure the acceptance criteria is met
This includes answering the questions as it applies to the work:
- How DID we protect the data?
- How DID we protect access?
Shift left vs secure early
I've chosen the language "secure early" because shifting left or pushing left assumes a left to right reading directionality. Absolutely no shade meant, it's just something that crossed my mind and I wanted to choose a phrase that would apply regardless of directionality.
As always, questions, comments, concerns, feedback, hit me up on Twitter.