Skip to main content

Shift Left Security

What is Shift Left?

Shift Left is an approach that moves testing and security measures to the early stages (left side) of the Software Development Life Cycle (SDLC).

In traditional waterfall development, security diagnostics and testing were performed at the end of the development process (just before release). However, if critical vulnerabilities are found at this stage, the cost of rework is high and can significantly delay release.

In Shift Left, security is considered from the design and coding stages, and continuous checks are performed to achieve "cheaper," "faster," and "safer" software development.

Practical Implementation in Each Tech Stack

Below are specific examples of implementing Shift Left in a development environment using .NET, Azure, Terraform, GitHub Workflow, and Angular.

1. GitHub Workflow (CI/CD)

Leverage GitHub Actions to automatically run security checks on every pull request or push.

  • Secret Scanning: Prevents private keys and tokens from being committed to the repository.
  • Dependency Review: Prevents the inclusion of libraries with known vulnerabilities.
.github/workflows/security-scan.yml
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      # Dependency vulnerability check
      - name: Dependency Review
        if: github.event_name == 'pull_request'
        uses: actions/dependency-review-action@v4
        
      # Comprehensive scan using Trivy (filesystem, containers, misconfigurations)
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'table'
          severity: 'CRITICAL,HIGH'

2. .NET (Backend)

In .NET development, focus on NuGet package vulnerability management and code analysis.

  • NuGet Audit: Available in .NET 8+, warns about packages with known vulnerabilities during dotnet restore.
  • Roslyn Analyzers: Detects code quality and security issues in real-time.

Project File (.csproj) Configuration:

YourProject.csproj
<PropertyGroup>
  <!-- Enable NuGet Audit (enabled by default but can be explicit) -->
  <NuGetAudit>true</NuGetAudit>
  <NuGetAuditLevel>moderate</NuGetAuditLevel>
  
  <!-- Enforce security code analysis during build -->
  <AnalysisMode>All</AnalysisMode>
  <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>

3. Angular (Frontend)

For frontend, managing NPM packages and preventing vulnerabilities like XSS (Cross-Site Scripting) is crucial.

  • npm audit: Checks for vulnerabilities in dependency packages.
  • ESLint: Add security rules to prevent dangerous coding patterns.

Example execution in CI pipeline:

# Fail the build if there are critical vulnerabilities
npm audit --audit-level=high

# Run Lint including security plugins
npm run lint

ESLint Configuration (.eslintrc.json) Example: Introduce plugins like eslint-plugin-security.

{
  "plugins": ["security"],
  "extends": ["plugin:security/recommended"],
  "rules": {
    "security/detect-object-injection": "warn"
  }
}

4. Terraform (IaC)

Infrastructure as Code (IaC) can also contain vulnerabilities or misconfigurations. Perform static analysis before deployment.

  • Trivy / tfsec / Checkov: Detects violations of best practices in Terraform code (e.g., S3 buckets being public, encryption disabled). Checkov supports many compliance benchmarks (CIS, SOC 2, etc.).

Execution locally or in CI:

# Scan Terraform misconfigurations using Trivy
trivy config ./terraform

# Scan using Checkov
checkov -d ./terraform

Terraform Code Fix Example:

# ❌ Bad Example: Allowing public access to storage account
resource "azurerm_storage_account" "example" {
  public_network_access_enabled = true # Security Risk
}

# ✅ Fixed
resource "azurerm_storage_account" "example" {
  public_network_access_enabled = false
}

5. Azure (Cloud Environment)

Control resources not just after deployment, but use deployment policies to prevent "unsafe resources from being created".

  • Azure Policy: Enforces resource creation rules (e.g., HTTPS only, specific allowed regions).
  • Microsoft Defender for Cloud: Integrates with DevOps to visualize IaC template security issues in a dashboard.

Azure Policy Application Concept (Bicep/ARM):

// Applying a policy definition to allow only specific SKUs, etc.
targetScope = 'subscription'

resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
  name: 'audit-vm-manageddisks'
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
    displayName: 'Audit VMs that do not use managed disks'
  }
}

Summary

Implementing Shift Left Security involves not just introducing tools, but embedding them into the development flow.

  1. IDE (VS Code): Notice issues while coding with linters and plugins.
  2. Pre-commit: Automatically check before committing.
  3. CI (GitHub Actions): Block issues at the Pull Request stage.
  4. CD: Run IaC scans before deployment.

By combining these, you can maintain a high security level without sacrificing development speed.