Ask these questions to secure early

Feb 3, 2021

This blog post is where I remember first reading about the concept of shifting security left. "Shifting left" or "pushing left" means integrating security early in the development process. This saves time because code doesn't have to be remediated later one after an security review.

One light-weight way I've found of integrating security into the conversation is by asking questions about two topics: data and access.

Story writing

When writing the stories or units of work ask:

  • Is there DATA that needs to be protected?
  • Is there ACCESS that needs to be protected?

It might be that a story / work involves both, only one, or neither of these, but by intentionally asking the question, you can ensure it is being considered and addressed.

Kickoff

a ritual where the pair working on the story and some other members of the team - sometimes teams require QA to be there, sometimes it's just a third member of the team - ensure that there's a mutual understanding of the work that needs to be done and what the criteria is for deeming the work complete

In this conversation, ask one or both of these questions as it applies to the work:

  • How WILL we protect the data?
  • How WILL we protect access?

Desk check

a ritual where the pair that worked on the story, the QA, and possibly other members of the team - sometimes teams ask that other stakeholders be included - walk through the work to make sure the acceptance criteria is met

This includes answering the questions as it applies to the work:

  • How DID we protect the data?
  • How DID we protect access?

Shift left vs secure early

I've chosen the language "secure early" because shifting left or pushing left assumes a left to right reading directionality. Absolutely no shade meant, it's just something that crossed my mind and I wanted to choose a phrase that would apply regardless of directionality.

Graphic of software phases and questions to ask as mentioned in the blog above
Greyscale (mostly)
Light more printer-friendly version

As always, questions, comments, concerns, feedback, hit me up on Twitter.

Webs

Teacher | Software Developer | Intelligent Hoodlum

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.