- Google Cloud and the cybersecurity company Capsule8 published a new report on cybersecurity and development practices of over 31,000 professionals.
- Within Google Cloud and the tech industry, more developer teams are "shifting left," which means they're incorporating security checks earlier in the process, and fixing issues as they write the code.
- Not only does it make for more secure software, the research says - it also frees up the developer's time, because they don't have to go through at the end and patch up security flaws and vulnerabilities.
- Dr. Nicole Forsgren, who works in research and strategy at Google Cloud, also says that burnout plays a surprisingly large role in cybersecurity: A burnt-out security team makes more mistakes and misses more issues, so it's important to address.
- Click here for more BI Prime stories.
Before, security was the last thing on app developers' minds.
But increasingly, developers are "shifting left," says Dr. Nicole Forsgren, who works in research and strategy at Google Cloud - meaning that developers are thinking about securing their apps much earlier in the process. In other words, developers are starting to test for security requirements and scan for vulnerabilities as they create, not after.
Transform talent with learning that worksCapability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More The term, she says, comes from thinking about the process of software development as a straight line, starting from the left and moving to the right. Traditionally, security starts further down the line, towards the right side. But it's "shifting left," in her terminology, to be closer to the start.
That philosophy is increasingly on display not only at Google Cloud itself, Forsgren said, but increasingly in the industry at large, as well.
To prove it, Forsgren points to a report that Google Cloud first published in August, in collaboration with the cybersecurity company Capsule8, with data from over 31,000 professionals worldwide about their security and development practices.
Six years of research
Forsgren says this report was the culmination of six years of research, starting when she was the founder and CEO of a firm called DevOps Research and Assessment (DORA). Google originally partnered with DORA to better understand the field of DevOps, a philosophy of combining development and operations to deliver more software faster. Google Cloud acquired DORA in December, bringing some of the top DevOps experts under its umbrella.
Her research shows that rather than having separate security and developer teams, security needs to be better incorporated into the development process, Forsgren says. "Shifting left" includes creating security-based tests and inviting information security professionals to demonstrations of their software early on.
"I'm really excited to see how many more organizations, not enough but many of them are starting to integrate security better into the process," Forsgren told Business Insider. "Security is super important. We just don't have enough security professionals. If we can embrace what's happening there, there's fantastic potential."
The benefit of shifting left is that developers don't have to spend as much time having to fix security bugs once all the code is already close to finished - because they already addressed them earlier. It means being able to get back to coding new features and products, rather than fixing flaws and vulnerability.
"This whole shifting left is really about reducing costs," Maya Kaczorowski, product manager at Google, told Business Insider. "If I can fix something before it ends up in production, it saves me time if it were to breach. It saves me time figuring out where I was affected. There's a very clear business case to why I want to do this earlier."
Thinking with a 'security mindset'
What employees can do to improve the development process at their company is to help teach the rest of their organization to think with a "security mindset," says Kelly Shortridge, vice president of product strategy at Capsule8.
"We should bake security into everything the organization does," Shortridge told Business Insider. "If we keep treating security as this arcane mystical art, we shouldn't be surprised when an organization doesn't embed security into these processes."
For example, she says, companies should think from the attacker's point of view when securing their software. Most likely, she says, attackers will try to find the easiest and cheapest way to engineer an attack, such as phishing - where an attacker pretends to be a bank, IT manager, or other trusted figure in order to get password and personal info.
Shortridge predicts that in the future, the industry will see a "dismantling of the traditional security team." She says that rather than having separate security teams that reach out to engineering teams, these teams will join together.
"One problem security has a lot of the time is there's this notion you're going to meet a perfect state of pure security and sit on a mountain and gaze on it from above and everything will be alright, but that's just a fantasy," Shortridge said.
Preventing burnout
Improving cybersecurity also has a cultural aspect, Forsgren says. Within Google Cloud, it's working on improving productivity by improving work-life balance and preventing burnout.
Her research also shows that burnout plays a surprisingly large role in cybersecurity: A burnt-out developer, or security specialist, makes more mistakes that can lead to more problems down the line. Therefore, her study recommends that security organizations make sure its members practice self-care and otherwise do what they can to take some of the burden of guarding often-critical software off their backs.
"What it really means is finding this great workflow," Forsgren said. "I'm sure we've seen this. We can get complex tasks done. The opposite is we seem to be busy all day long and you get nothing done."
This includes making security tools easier to use and making information about security more accessible so that employees can be more productive, Shortridge says.
One example she's seen is having bots set up on the Slack chat app, which employees can use to ask about security policies, meaning the security team can spend less time answering the same questions over and over.
She also says employees can burn out from tasks like managing security configurations and maintaining documentation.
"Overall it's a lot of headaches and that contributes to burnout," Shortridge said. "Anything that can help analysts feel more productive, having to fight fewer fires, feeling less like they have the whole weight of the world on their shoulders can help alleviate burnout, which could be a fantastic thing for the industry."
Next Story
I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
Colon cancer rates are rising in young people. If you have two symptoms you should get a colonoscopy, a GI oncologist says.
Saudi Arabia wants China to help fund its struggling $500 billion Neom megaproject. Investors may not be too excited.
Catan adds climate change to the latest edition of the world-famous board game
Tired of blatant misinformation in the media? This video game can help you and your family fight fake news!
Tired of blatant misinformation in the media? This video game can help you and your family fight fake news!
JNK India IPO allotment – How to check allotment, GMP, listing date and more
Indian Army unveils selfie point at Hombotingla Pass ahead of 25th anniversary of Kargil Vijay Diwas
