In this Help Net Security video, Jacob Garrison, Security Research for Bionic, explains the limitations of shifting left in application security.
Key factors hindering the effectiveness of shifting left:
- Achieving 50%+ application test coverage is unrealistic, especially in microservices environments spanning hundreds of codebases.
- Security tests are intensive and long to run, resulting in bottlenecks that affect CI/CD pipelines; running all tests for code change rarely happens.
- False positives and security tests overwhelm engineers who often ignore findings.
- Security tests focus on specific components of code and not entire application architectures, resulting in missing risks relating to dependencies, data flows, and environment/application configurations.
- Not all application code or configuration change happens in the CI/CD pipeline – For example, hotfixes and patches are on-the-fly configuration changes in the environment.
- Production environments are impossible to reproduce in pre-production.