Don’t Just Shift Left! Extend Right with Infra as Code

What’s left to say about Shift Left? Making informed decisions earlier in the development process has clear benefits, enabling organizations to reduce re-work, improve security, and ultimately deliver faster. It also helps to protect brand integrity by addressing security issues before they reach production. This moves the Shift Left approach beyond the realm of Security into a business enabler.

But there has been an element missing from the discussion: you can “extend right” by incorporating Infra as Code into your process in order to make smarter, more contextual decisions earlier in the development process. Infra as code has transformed the way DevOps teams manage changes to infrastructure. By processing these changes as code, you can increase automation and agility – and improve security at the same time.

When making risk-based decisions, context is everything. The more context we have, the more informed decisions we can make. While the focus of much of the DevSecOps movement has been to shift decision-making earlier in the SDLC, there hasn’t been enough discussion about the types of information that can be shifted left.

Think of a “Product” Comprehensively

A “product” is not just a collection of code. The risk of a cloud/SaaS product also includes:

• Cloud configuration settings (e.g., AWS, Azure, GCP)
• API Gateway settings (e.g., Azure API Management, Apigee, Nginx Controller)
• Cloud Identity settings (e.g., Azure AD, Okta)

Even in the case of non-SaaS applications, there is always a distribution method, with its own unique characteristics and risks (how many of you actually do MD5 checksum verification when you download software from the Internet?) There is also an environment in which the product is run, from Windows servers to virtual machines to containers. No matter what the product is, its risk profile needs to include information from design to code to production (these days, usually cloud). But let’s focus on SaaS applications:

The Shift Left Benefits of Infrastructure as Code

There are two ways that we can “extend right”:

1. API connections to production/cloud services
2. Infrastructure as Code

There are significant benefits to the second, IaC-based approach. While API connections enable us to make better decisions about code changes based on production settings, IaC also allows us to make better decisions about the infrastructure before they become production settings! You can evaluate infrastructure configurations at the commit to develop branch or at pull request and analyze the risk of the change in the context of the entire application.

Think about it this way: shifting information about the infrastructure left using APIs allows you to make more informed decisions about code changes. But IaC enables you to use your understanding of code to contextually understand the risk of infrastructure changes!

The Rise of “Product Security”

One change we have seen that illustrates the shift to thinking about security more holistically is the rise of the “Product Security” title. This role encompasses not only applications themselves but recognizes that applications do not exist in a vacuum. There are many elements that are part of a product’s security and practitioners need to think broadly about the risk.

It is crucial that we help Product Security practitioners by giving them the information they need to make decisions on product-risk. This means not only shifting left but extending right – and making the most of IaC is how you can maximize the value of a contextual, risk-based approach to security.