Shift Left: Should You Push It or Pull It

In cloud-native development, managing security across every phase of the development lifecycle is critical. Whether working with Docker files, identity systems, microservices or serverless functions, each component presents security risks that must be addressed early.

Implementing code to cloud security ensures that every stage of development, from build to runtime, receives the necessary protection. The imperative is to mitigate risks that could otherwise lead to vulnerabilities post-release.

Navigating Key Security Tools

The journey begins with cloud security posture management (CSPM) and progresses to more comprehensive solutions like the cloud-native application protection platform (CNAPP). Other critical tools include:

While these tools integrate security into every stage of cloud-native applications, questions remain. Who's responsible for shifting security left? Is it the domain of DevOps, SecOps or CloudOps?

Identifying Security Challenges in Cloud Deployments

Consider a containerized application deployed on a managed Kubernetes infrastructure through a cloud provider like AWS, Azure or Google Cloud. Developers traditionally focus on meeting functionality deadlines, often overlooking security until the testing or production phase. When vulnerabilities emerge at these late stages, fixing them becomes complicated, as microservices lack on-the-fly patching capabilities.

CloudOps teams address these issues by leveraging tools like CSPM, CWP and CDR. Developers adopt practices involving:

These tools allow teams to detect security gaps early. The challenge lies in aligning them across teams - making a strong case for shifting security left.

Shielding Left and Right

Figure 2 illustrates a containerized application running on an Amazon EKS cluster, exposing a service to the internet. The development team ensured security throughout the build process, shifting security left. After deploying the service, cloud security tools monitored for anomalies and zero-day vulnerabilities - a practice known as shielding right.

Despite the precautions, a zero-day vulnerability emerged in production, exposing an endpoint to unauthorized access. Whether using agentless or agent-based approaches, the security team identified the attack path. The publicly exposed service was linked to a vulnerable package in the container image.

The discovery raises several pivotal questions:

1. Is the service publicly accessible?
2. Is the vulnerability already exploitable?
3. Is a patch available?
4. Which packages are impacted?
5. Who relies on those packages?
6. What version resolves the issue?
7. How can the solution be communicated?
8. What steps are required to apply the fix?

Answering These Questions with Cloud to Code^TM Visibility

With a single, integrated platform, security teams gain visibility across the entire software development lifecycle (SDLC). For example, questions about exposure and exploitability are resolved quickly.

By prioritizing business-critical applications, teams can map cloud to code vulnerability traces. The method answers package-related questions and identifies dependencies, allowing for efficient remediation.

A deeper dive into the Docker file reveals that a Python dependency caused the issue. The platform pinpoints the exact repository, owner and the required version to resolve the problem.

Streamlining Developer Communication

To fix the vulnerability, security teams submit a pull request to the developer responsible for the affected code. By avoiding disruptions or unnecessary meetings, this approach respects the developer's workflow. "Pulling security left" ensures that security fixes integrate smoothly into the development process.

The Case for a Unified Security Platform

Using a unified security platform provides several advantages:

• Full visibility across the SDLC
• Tools for developers to prevent issues early
• Production security monitoring to detect vulnerabilities post-release
• Streamlined communication between security and development teams

Learn More

Prisma Cloud by Palo Alto Networks offers a solution that aligns with these goals. It boosts security outcomes, enhances developer productivity and encourages better collaboration across teams.

If you haven't tried our Code to Cloud platform, we invite you to experience best-in-class security with a free 30-day Prisma Cloud trial.

Public link

Please use the above public link if you want to share this noodl on another website.