Shift Left: Should You Push It or Pull It?

Oct 24, 2024
4 minutes
... views

In cloud-native development, managing security across every phase of the development lifecycle is critical. Whether working with Docker files, identity systems, microservices or serverless functions, each component presents security risks that must be addressed early.

Implementing code to cloud security ensures that every stage of development, from build to runtime, receives the necessary protection. The imperative is to mitigate risks that could otherwise lead to vulnerabilities post-release.

Navigating Key Security Tools

The journey begins with cloud security posture management (CSPM) and progresses to more comprehensive solutions like the cloud-native application protection platform (CNAPP). Other critical tools include:

While these tools integrate security into every stage of cloud-native applications, questions remain. Who’s responsible for shifting security left? Is it the domain of DevOps, SecOps or CloudOps?

A comprehensive view of the security lifecycle, starting with IaC scanning and progressing through runtime protection, demonstrating alignment between developers and operations teams.
Figure 1: A comprehensive view of the security lifecycle, starting with IaC scanning and progressing through runtime protection, demonstrating alignment between developers and operations teams.

Identifying Security Challenges in Cloud Deployments

Consider a containerized application deployed on a managed Kubernetes infrastructure through a cloud provider like AWS, Azure or Google Cloud. Developers traditionally focus on meeting functionality deadlines, often overlooking security until the testing or production phase. When vulnerabilities emerge at these late stages, fixing them becomes complicated, as microservices lack on-the-fly patching capabilities.

CloudOps teams address these issues by leveraging tools like CSPM, CWP and CDR. Developers adopt practices involving:

These tools allow teams to detect security gaps early. The challenge lies in aligning them across teams — making a strong case for shifting security left.

Shielding Left and Right

Figure 2 illustrates a containerized application running on an Amazon EKS cluster, exposing a service to the internet. The development team ensured security throughout the build process, shifting security left. After deploying the service, cloud security tools monitored for anomalies and zero-day vulnerabilities — a practice known as shielding right.

A cloud-native service deployed via Amazon EKS with a security-monitoring framework in place. Code-to-cloud security ensures smooth operation from the build phase to runtime monitoring.
Figure 2: A cloud-native service deployed via Amazon EKS with a security-monitoring framework in place. Code-to-cloud security ensures smooth operation from the build phase to runtime monitoring.

Despite the precautions, a zero-day vulnerability emerged in production, exposing an endpoint to unauthorized access. Whether using agentless or agent-based approaches, the security team identified the attack path. The publicly exposed service was linked to a vulnerable package in the container image.

The discovery raises several pivotal questions:

  1. Is the service publicly accessible?
  2. Is the vulnerability already exploitable?
  3. Is a patch available?
  4. Which packages are impacted?
  5. Who relies on those packages?
  6. What version resolves the issue?
  7. How can the solution be communicated?
  8. What steps are required to apply the fix?
A vulnerability graph showing the relationship between an exposed service, its underlying package dependencies and associated risks.
Figure 3: A vulnerability graph showing the relationship between an exposed service, its underlying package dependencies and associated risks.

Answering These Questions with Cloud to CodeTM Visibility

With a single, integrated platform, security teams gain visibility across the entire software development lifecycle (SDLC). For example, questions about exposure and exploitability are resolved quickly.

A real-time view of an attack path, showing how security teams trace vulnerabilities from production back to their source code.
Figure 4: A real-time view of an attack path, showing how security teams trace vulnerabilities from production back to their source code.

By prioritizing business-critical applications, teams can map cloud to code vulnerability traces. The method answers package-related questions and identifies dependencies, allowing for efficient remediation.

A deeper dive into the Docker file reveals that a Python dependency caused the issue. The platform pinpoints the exact repository, owner and the required version to resolve the problem.

Dockerfile analysis identifying the specific Python library responsible for the vulnerability and recommending a fix.
Figure 5: Dockerfile analysis identifying the specific Python library responsible for the vulnerability and recommending a fix.

Streamlining Developer Communication

To fix the vulnerability, security teams submit a pull request to the developer responsible for the affected code. By avoiding disruptions or unnecessary meetings, this approach respects the developer’s workflow. "Pulling security left" ensures that security fixes integrate smoothly into the development process.

A pull request to the developer, communicating the required fix without interrupting workflows.
Figure 6: A pull request to the developer, communicating the required fix without interrupting workflows.

The Case for a Unified Security Platform

Using a unified security platform provides several advantages:

  • Full visibility across the SDLC
  • Tools for developers to prevent issues early
  • Production security monitoring to detect vulnerabilities post-release
  • Streamlined communication between security and development teams

Learn More

Prisma Cloud by Palo Alto Networks offers a solution that aligns with these goals. It boosts security outcomes, enhances developer productivity and encourages better collaboration across teams.

If you haven’t tried our Code to Cloud platform, we invite you to experience best-in-class security with a free 30-day Prisma Cloud trial.

 


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.