Shift-Left Security: The Future Beyond Traditional Cybersecurity in the Cloud

About the Author – Shift-Left Security: The Future Beyond Traditional Cybersecurity in the Cloud – Jeremy Smillie

Let’s begin with the concept of DevSecOps—what it is and why it’s essential in today’s IT landscape. At its core, DevSecOps is a discipline that blends three critical aspects of IT: Development, Security, and Operations. It’s more than just a methodology; it’s a cultural shift integrating security as a shared responsibility across the entire IT lifecycle. This approach emphasizes automation, platform design, and a mindset where security is embedded at every stage of development, from the initial code to the final deployment.

To truly integrate security at its roots, you must start with it from the very beginning. Before building any infrastructure, you need to focus on the product; in our world, that product is software. This is where the concept of Shift-Left Security comes into play. Moving security to the earliest stages of the development process ensures that it becomes an integral part of the software’s foundation rather than an afterthought.

In this article, we’ll dive into Shift-Left Security, why it’s crucial for cloud environments, and how I’ve successfully implemented it while working with Exact Payments. Through this exploration, you’ll understand why traditional cybersecurity methods fall short in the cloud and how adopting a Shift-Left approach can revolutionize your security strategy.

“Shift-left” simply means moving processes and tasks to the earliest stages of a project. In the security context, it involves integrating security processes and procedures right from the start—during design, planning, development, execution, and run-time.

Starting from scratch on all aspects, including infrastructure, was significant. We were able to run comprehensive security checks on all the code our developers produced, as well as on the infrastructure code created by our DevOps teams. This approach gave us a clean, vulnerability-free foundation to build and maintain our systems confidently. Before diving in, we conducted in-depth training for our developers on secure development practices. This training equipped our developers and DevOps teams with the knowledge to make informed security decisions from day one.

• AAA (Authentication, Authorization, and Accounting)
• Encryption
• Logging Standards
• OWASP (Open Web Application Security Project)
• PCI-DSS Compliance Standards (3.2.1)
• Privacy Compliance Standards (CCPA, GDPR, PIPEDA)
• SANS Top 25 Most Dangerous Software Errors
• Secure Coding Best Practices
• Software Development Lifecycle (Best Practices)

Following the training, we invested in various security tools that could be integrated into our developers’ IDEs and aligned with the CI/CD pipelines we planned to build in the near future.

The advantage of comprehensive upfront training is evident when our developers commit code to GitHub and issue a pull request. The developer reviewing the code is well-versed in secure coding practices and standards, enabling them to spot flaws or deviations from our guidelines. This has significantly reduced the burden on our security team and, as a result, has accelerated the development process.

With so many Continuous Integration (CI) tools available on the market—such as CircleCI, Jenkins, GitHub Actions, and more—we decided to select a solution that was not only powerful but also user-friendly. We began with the fundamentals, focusing on packaging our code to create deployable images. We deployed these images to our Amazon EKS (Elastic Kubernetes Service) cluster. Once this process ran smoothly in our test environment, we laid the groundwork for building a highly robust and secure pipeline.

Our approach was to prioritize security from the very start. Before packaging the code, we implemented Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans. We established a straightforward business rule: if any vulnerability with a CVE (Common Vulnerabilities and Exposures) score greater than 4 was detected, the pipeline would fail. Our developers quickly faced the challenge of addressing all issues with CVE scores above 4.

Our pipeline ran smoothly without halting within two weeks, but we knew we could push further. We tightened our criteria, setting the threshold to catch any vulnerability with a CVE score greater than 0. This rigorous standard pushed our team to scrub the code extremely clean, ensuring a high level of security from development through to production.

This process solidified our commitment to security and streamlined our deployments, resulting in cleaner code and a more secure production environment.

One of the biggest misconceptions in containerized environments is the assumption that pulling a Docker image from a trusted source, adding your code, and deploying it is sufficient to ensure a secure and clean environment. Unfortunately, this is far from the truth. Many publicly available images come bloated with unnecessary components, each bringing its own set of vulnerabilities and patching requirements.

While you can find minimalist images like Alpine that provide just enough to get your code running, these may not go far enough to reduce the attack surface. That’s where Distroless images come into play. Distroless was explicitly designed to remove the package manager and other unnecessary components from the image, making it even smaller and significantly reducing the number of vulnerabilities you need to manage. By stripping away everything that isn’t essential, Distroless images provide a more secure foundation for your containers, ensuring that your deployments are as lean and secure as possible.

This approach aligns perfectly with the Shift-Left Security philosophy. It further embeds security considerations into the earliest stages of development and deployment, ensuring that your containers are not only functional but also fortified against potential threats.

Using a combination of advanced tools, we gained the ability to identify insecure configurations at every level of our infrastructure. We developed a DevOps pipeline that continuously scanned our Infrastructure as Code (IaC) and the live environment. By tracking any drift between the two, we established much tighter control, eliminating the need for manual configuration changes—often called “click ops.”

As we iterated on our IaC, it quickly became clear that we no longer needed direct user access to the environments. Removing Active Directory from the equation was a significant win; with our entire environment on autopilot and auto-remediation in place, we could eliminate the most significant risk to any infrastructure: human error.

The final puzzle was managing AWS console users, which we addressed by integrating a federated directory. We chose a managed federated user directory provider to connect all our SaaS accounts, greatly simplifying the user experience. Additionally, this approach enhanced our security by leveraging advanced authentication technologies. By combining AWS Single Sign-On (SSO) with our Identity Provider (IdP), we streamlined console and CLI access to the AWS environment, further fortifying our infrastructure against potential threats.

This Shift-Left approach to securing our infrastructure reduced risks and made our operations more efficient and resilient. By embedding security into every layer, from code to deployment, we ensured that our environment remains secure, automated, and free from the vulnerabilities that human intervention often introduces.

After all the hard work and dedication, we’ve successfully built a model where security is the foundation of everything we do. Every action, every decision, and every day-to-day operation now starts with security at its core. Importantly, we’ve achieved this without hindering the features and capabilities that our customers rely on.

If we were to distill this approach into key pillars, they would be:

• Comprehensive Training
• Automated Software Vulnerability Scanning
• Automated Infrastructure Vulnerability Scanning
• Ongoing Remediation
• Structured Development Life Cycles
• Least Privilege Permissions
• Multi-Factor Authentication Everywhere

At the heart of this strategy is the mindset that security is everyone’s responsibility. It’s crucial for your team to continually think about security and consider the risks that their actions could introduce. No security plan is perfect—it must always be revised, tested, and improved.

If there’s one key takeaway from this journey, it’s this: Start with security first. Integrating security from the beginning is far easier and more effective than trying to prioritize it later on. Making security a fundamental part of your process lays the groundwork for a more secure, resilient, and successful future.