Shift Left in Security, but not too Left…
Hear me out before bombarding me.
I am going to go out on a limb here. I love automation in Security. Shifting left is one of the best things happen to InfoSec in a long time. The idea of Shifting left means that we do not evaluate security at the end of product life-cycle, we do this in the beginning. This is perfect! Identifying threats in the design phase reduce cost in terms of monetary and human-hours. Threat modelling using techniques like STRIDE has helped a lot of organisations. All good so far.
You may ask then what is this security person complaining about? My thoughts, rather isolated opinion, stem from the fact that security tools have this intrinsic issue of False positives. Any one who has spent a day with security tools will tell you that this is the case.
So what happens, when you stick security tools, which out put a lot of information, too left. Your developer will now have to look into these security issues. Developers have to take a decision or worst, get confused as what to do next? Should they contact security team that there are gazzillion vulnerabilities? If they have not seen output of a security scanner before they might have slight heart attack too.
Security folks evaluate risk of a vulnerability. This is their job, if developers have to do this evaluation, we are asking too much of them. Developers can/should have access to security tools output, but please do not force them to evaluate the output as well.
Security tools will output a lot of information, security folks declutter the information. It is our responsibility as security to ask developers to fix certain element in their code, if there is REALLY an issue. Crying WOLF too many times will just lower your confidence in Developers and Ops teams. They will not listen to you if you are just creating a story for each “vulnerability” identified by a certain security scanner that you are using in your organisation.
Make it clear to developers that they do not have to start working on every vulnerability identified by security scanners. Educate them on how security tools identify malicious behavior and why is it hard to get it right. Let them know that security teams will create stories after removing noise from the output of security tools.
TLDR; Apply shift left paradigm to information security in your organisation. Let developers have access to the output of security tools. But do not force developers to evaluate risk themselves. Ask security teams to declutter the output of security tools and then feed it developers for action.