Shift Left Meets Developer First
April 04, 2022

Dotan Nahum
Check Point Software Technologies

Those of us in the software world know that typical Software Development Lifecycles (SDLC) are sequential — not to be confused with linear. In other words, there are "steps" or phases to each development stage. With each stage there are controls and safeguards, as well as a review of policy regulations, before moving to the next step to ensure quality, security, and performance.

This is important, because if a certain control is done too late in the cycle, the resources wasted backtracking to remediate errors can be extreme — sometimes in the order of 10x when compared to the resources spent detecting errors in advance.

For this reason, it makes sense for organizations to shift-left any and all development processes it can, while also making it technologically feasible. The market has already shown these movements, and technological advancements are currently in place to shift-left for monitoring and testing from a quality perspective. It is only recently, however, that we're also seeing the same directional change for security.

Organizations, not surprisingly, are once again looking for technological advancements that will allow them to shift-left security. This would include the ability to execute security policies in code or during build time, and for security engines that are smarter and more effective when looking at source code.

The challenge is that not all tools and processes work in a shift-left world. Tools and processes that were created "in the right" side of the process are often built purely for production environments, relying on central processing and management, and have security oriented professionals operating it rather than developers. While many security tools try to shift-left, they fail to do so in a complete, seamless manner; often the integrations are clunky, or the tool only partially solves the shift-left intent early in the SDLC. This is where the concept of "developer first" plays a role.

Developer first means the tool or process was built from the ground up with developer input from inception. It takes into account tool properties and attributes such as speed and integration with developer tools first rather than production tooling.

For instance, developers typically require tooling to run on a multitude of development environments, from OS to virtualization, and to container platforms such as Docker, Kubernetes and their respective ecosystems, such as Helm and others. These developer-first tools must act as a guide or "advisor" with just-in-time coding information and insights. They must also be very informative in the continuous integration build process, which requires faster analysis and feedback cycle and specific formats of reports to support. Configuration and pluggability must be made throughout the command line, APIs, and local configuration, which helps streamline into the SDLC rather than a central management system and UI.

Being a first-class citizen in security as code (SaC) is important, and developer-first security tools are built from the ground up to understand security policies that are co-located with code. They also configure and execute locally to a specific SDLC pipeline or to all pipelines in the organization, providing a high degree of freedom for the practitioner for refining results, policies, and rules as they code. In order to function correctly, developer-first security tools must be implemented properly. Likewise, it's crucial to pick the right tool when going for a shift-left process.

Once again when it comes to shifting left, we've witnessed similar movements in the worlds of testing and monitoring tools. It started with Selenium and JMeter, which were completely "shift-right" tools that shifted left successfully, but ultimately did not have the developer experience and the ability to move fast with the developer. Consequently, these tools were quickly superseded and taken by a storm of others such as Puppeteer and Cypress which are great developer-first testing and monitoring automation tools.

When looking to shift-left security, it is important to understand these nuances in order to better protect your environments and to create frictionless experiences for your developers. Additionally, organizations should make it a best-practice getting your development and security teams working together at the outset of any SDLC.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.