Software-as-a-Service, or moving on-premises software to the cloud, is a big trend in technology. But this trend brings up concerns of security.
Information security and DevOps teams are always looking for ways to tighten the security on software to be too much trouble for hackers.
Kuali teams subscribe to the philosophy of “shifting left.” This refers to step-to-step process of software development and testing, and including security testing earlier in the process, or moving to the left on the project timeline.
In the same way that Kuali designs software with integration and APIs in mind, we design software with security in mind, not as something we tack on at the end of a project. There are several advantages to approaching software security in this way. Here are three main benefits of shifting left.
We pride ourselves on our ability to be nimble and proactively add new features as well as respond to changes in regulations and other needs. This means we don’t do large updates on a schedule, such as once or twice a year.
Incorporating security early on in development and testing phases allows for better continuous delivery—the ability to get changes such as new features, configuration changes, bug fixes and experiments into production, or into the hands of users—because security is top of mind during the development process, so when new pieces are ready for deployment, our security team has already seen code and been involved from the beginning so there aren’t going to be huge security gaps.
Time is one of any organization’s resources. We’re all looking for ways to keep quality high but reduce the time it takes to get there. And development teams who shift left can do just that. In “Accelerate,” authors Nicole Forsgren, PhD, Jez Humble, and Gene Kim looked at years of research and found that high performers spent 50% less time correcting security issues.
At Kuali, we make security a high priority through the development process. Our products deal with highly sensitive information by way of research projects, student information, and other data, so we want to make sure that our systems have security built in from the very beginning of the project, and not an afterthought later. This is much like our approach to integration and APIs. With proposals to tighten data security at institutions of higher education as it relates to dispersing financial aid, it’s something that is important on a number of levels.
Doing it right the first time
Shifting left has a lot to do with developing software right the first time. When software developers and information security teams work together along the process, there is less of a chance that major architectural issues are discovered in the space between completion and go-live because developers have a better sense of what security is going to require.
The analyst firm Gartner has said that 70% of security vulnerabilities are at the application layer and not the network layer. When developing software, it’s important to make security considerations a requirement in the various stages of development.
In the previously mentioned “Accelerate,” it is suggested that security teams are giving the development teams the tools they need to include security measures into the software as they are developing, rather than doing security reviews at the end. This allows the developers to expand their security knowledge, and collaboration with the security team, so they are doing the right thing the first time and not relying on holes to be caught just before deployment.
Considering these benefits to Shifting Left—better continuous delivery, saving time, and cross-training—Kuali takes this approach as we work with our client communities to develop and advance our products for higher education.