For years, the technology industry has championed the "shift-left" approach to software development. As a Director at Discover who owns the Site Reliability Engineering discipline, I believe that enterprises need to move beyond the “shift left” approach to security. Instead, they must consider how to create cultures and technology practices where security is embedded in every step of the software development process.
Learn how current technology stacks and technology cultures will need to change to embrace a “security everywhere” approach and why SREs are primed to help that happen.
Security in the Tech Stack
Security looks different at each layer of the tech stack. For example, at the architecture layer, security is about designing protections against threats that compromise the integrity of your systems, data, or inter-system communication. At the software engineering layer, security is often about protecting against injection or spoofing or vulnerabilities in the supply chain or experiential concerns. At the infrastructure layer, security focuses on protecting assets, patching vulnerabilities, or maintaining zero trust between systems.
Enterprises need people who can see across the various layers of the tech stack and are primed to understand how to embed security across the entire spectrum of the tech stack.
Enter Site Reliability Engineers (SRE).
Why SREs are Integral to Enterprise Security
Engineers who focus on operations continually think about production and have the engineering knowledge and skills to support the dynamic nature of production. They take data from production and focus on the fundamentals: reliability, resiliency, monitoring, logging, alerting, and reporting. SREs who have the skills to think about their application estate through the lens of security enhance the security posture of the enterprise.
The SRE can help product teams identify opportunities to improve the security posture of their applications, no matter where in the tech stack their applications sit. Their awareness of the production environment, change schedule, and the pending vulnerability patching are skills that help the SRE provide added value to the operational readiness of critical products.
By focusing the SRE skill to incorporate security, product teams can understand earlier how their design decisions will affect security. I like to think of this as "distributed accountability", ensuring that every product team is learning and understanding about security as they build their product. Teams will understand that there is more to security than the patching of servers and the upgrading of dependencies in the software bill of materials (SBOMs). It's also about improving the efficiency and effectiveness of security practices.
Enterprises that are already invested in Site Reliability Engineering (SRE), have a clear pathway to making security everyone’s concern.
Shift-Everywhere Success
When thinking about shift-everywhere security, three key areas to focus on include:
- Context-aware security: Integrated development environments (IDEs) today support plugins that can analyze code bases and catch issues early. These plugins can also scan for vulnerable dependencies and make changes to the versions used. This inevitably means broken tests. IDEs that are Gen AI-enabled can also help by scanning code bases and offering suggestions to existing functions, rewriting tests, or adding new tests that might be missing.
- Automated pipelines: CI/CD pipelines are becoming commonplace. Leveraging the pipeline to include additional security testing makes the process invisible to the developers while providing comprehensive coverage. SREs can add tremendous value here with their skill.
- Continuous learning loops: To get better, feedback loops must be present. Teams will learn faster when the risk in their work is made visible immediately. Whether it is a runtime alert from a scan or an automated script that provides security guardrails, bring this information to the attention of product teams quickly so they can improve their development practices.
Leading the Cultural Shift
The shift-everywhere mindset invites teams to incorporate security into their workflow without requiring everyone to become a security expert or product teams to add more tools to their toolbox. The mindset creates an environment where security concerns are part of the team culture.
Security has a reputation for slowing down software developers. This does not have to be the case. When velocity is measured alongside vulnerability reduction, and developers care about production security metrics, that is a clue that we are building the right culture.
The most secure organizations aren't defined by the number or complexity of their tools, but by integrating security throughout their code.
