The security landscape is ever-changing. It is the most non-constant industry on the planet. New threats appear and new solutions are built to squash them. Rinse, repeat. It’s a never-ending cycle in what seems like no end in sight.
What’s the promised land? Can we ever reach an end-state where all software running across the world is secure and 100 percent free of breaches?
Nothing will ever be 100 percent breach free. But, that should not be our measure of success. Rather, our goals should be around ensuring that as new code is created, it has eyes and scrutiny by as many people and systems as possible without slowing down innovation.
As I wrote in an earlier article, shifting this process as far left as possible ensures the highest efficiency with the least energy. Once in the wild, an increasingly large amount of effort, time and capital is needed to detect, mitigate and address underlying security problems in your code.
And, because CIOs are spending 9/10th of their budgets on post-deployment (endpoint, firewalls, etc.), it is no surprise we see Equifax-sized meltdowns in the world pretty regularly now.
The vast amount of noise and data you have to sift through at that phase in the security life cycle almost guarantees you will miss threats. The key to success is hitting it early, when the noise is low. Shifting “left” is this philosophy and it is now gaining steam in the minds of DevOps leaders.