Gartner on the Need to “Shift Right” in Security

Over the next week or so, I’ll be sharing some insights and observations from last week’s Gartner security summit conference. We’ll explore key conference themes around how DevOps and Security can work better together, the role of ML and automation, and the major challenges still confronting security practitioners.

The infinite loop pictured here was a theme throughout many presentations. All visual models like this quickly become a little too complicated, but this vision of continuous security and a constant feedback loop between the build/deploy phase and the runtime phase really hits a chord with us here at StackRox. We pioneered the full life cycle approach to container security, and only we built our platform specifically to leverage data, context, and findings in each phase to improve security in the other.

In his discussion on the state of application security, Ramon Krikken used this image to highlight the need for application security to get built in from start, during the build and deploy phase of the software development life cycle.

Contrary to common refrain to “shift left” and move more security back into build, Ramon advocated for a different approach. “We need to shift right with security,” he noted. He advocated for the need to continually apply build tools such a vulnerability assessments, but he also noted that the “shift left” push has weighed on developers.

“Development is all about putting out secure code,” said Ramon. “Don’t burden the developers with anything other than producing secure code. The more you shift security right, the more you make security easier for developers.”

Ramon also highlighted the continuous nature of automation and correlation specifically within the Build and Deploy phase. We appreciate his focus on the tight process needed to get developers focused on the most critical tasks – our free risk assessment leverages these principles to give your developers a stack-ranked view of the most important risks to address before scaling deployment of your containers.

In future posts, we’ll discuss more on Gartner’s view on Continuous Security, the top security projects you should pursue this year, and the value of thinking like a hacker.