DevSecOps.... We Cyber Security Pros Love Rebranding!
I think it was 2013 when I first heard the term “shifting security to the left” in reference to coding applications. The premise is as true today as it was six years ago, it is cheaper to take the time to fix a problem while in development than to try to fix it post production. However, it doesn't appear that much shifting has occurred. The attached article calls “shifting to the left” DevSecOps, but the meanings are the same.
I have dealt with several incidents where the root cause ended up being a non-patched application. After the dust settled, I would ask the coding teams, if we are an agile shop, why are there security vulnerabilities that aren’t being fixed for months, some for years? If you are not familiar with the Agile methodology, simply put it is a faster way of coding application and if something breaks it’s easier to fix because there aren't multiple bureaucratic steps that have to be taken to get the job done.
However, when I would inquire about fixing vulnerabilities in applications, those same Agile teams would scream, I can’t patch this vulnerability because it might break the application! That always left me scratching my head because it just didn't make much sense. If it breaks just fix it right?
I don’t know, it seems we as Info/Cyber Security professionals are doomed to constantly talk about the same challenges we have been talking about for years, the frustrating part is that we have the answers to many of our questions, but still not having much luck shifting into gear.