Shift left is gaining a foothold in security discussions today. It refers to a software development approach that focuses on incorporating security measures and testing early in the development process. The goal of shift left security is to identify and fix security vulnerabilities as early as possible in the development cycle, rather than waiting until later stages when it may be more difficult and costly to fix them.
The key principles of shift left, however, can be applied to more than just software development. In this post, we’ll examine how you can apply shift left methodologies to your IoT security practices including asset identification, continuous monitoring, cultural transformations, and automated workflows. Organizations that successfully implement these principles can achieve increased security at lower costs.
Just as shifting left encourages finding vulnerabilities in the development process as early as possible, companies managing across a fleet of IoT/OT devices can also take stock of what assets exist within the company. While most organizations won’t have access to the code base of every device as shift lift originally suggests, shifting left principles can also lead to building better processes for onboarding new devices and tracking them once already on the network. Creating comprehensive profiles of every device with location and ownership data is one example of how you might incorporate security early into a device’s life cycle. Properly documenting this information early will help surface existing and future vulnerabilities and help reduce the time it takes to remediate issues down the road.
Shifting left calls for continuous testing of the codebase to catch how changes to one part of the code may open up areas of weakness in others. Similarly, building a culture of IoT/OT security requires continuous monitoring of the network. It’s helpful to establish a baseline of behavior of the network such as what normal for a device looks like, and when are periods of more activity vs. less, so that when a new device does come online or there are changes in activity potential weaknesses can more quickly be stopped.
In software development, shift left is a cultural change that requires development and security teams to be in direct communication with each other. Similarly, for IoT/OT devices the need for stronger cross-functional collaboration between security and non-security stakeholders such as IT, physical security, maintenance, and clinical engineering is growing. Expertise and contributions from various departments can help paint a clearer picture of the devices on an organization's network and ease the burden on security teams. In the same way an organization prevents future costs when a developer patches vulnerabilities before the device is shipped, facilities can help to mitigate the security risk of a building automation system by changing the default passwords.
Shift left security for IoT/OT refers to integrating security measures and testing earlier in the software development process, rather than waiting until later stages or after the software has been deployed. This approach can be applied to integrating visibility, monitoring, and cross-organization processes into the day-to-day management of IoT/OT as well. As a result, this can significantly reduce the cost and impact of security breaches, as well as improve the overall efficiency of the organization.