Shift left to provide security and compliance visibility from development to runtime

From a blog we are reminded, “The term “shift left” refers to a practice in software development in which teams focus on quality, work on problem prevention instead of detection, and begin testing earlier than ever before. The goal is to increase quality, shorten long test cycles and reduce the possibility of unpleasant surprises at the end of the development cycle—or, worse, in production.

Shifting left requires two key DevOps practices: continuous testing and continuous deployment. Continuous testing involves automating tests and running those tests as early and often as possible, along with service virtualization to mimic unavailable systems. Continuous deployment automates the provisioning and deployment of new builds, enabling continuous testing to happen quickly and efficiently.”

 Lacework® recently announced the addition of build-time security capabilities to complement their existing run-time platform for cloud, container, and hybrid environments. With this update, the Lacework Complete Security Platform will “shift left” to provide complete security and compliance visibility across the entirety of an enterprise’s infrastructure footprint — from development to runtime, and for cloud, container, bare metal, and hybrid environments.

Brilliance Security Magazine talked with Dan Hubbard, CEO of Lacework, to discover more about how their updated capabilities push security integration further into the development/delivery lifecycle.

Dan told us “We are a cloud security company that is focused on securing your infrastructure as it moves to the cloud. If you think of CIOs and CISOs in large companies and middle-sized companies, what they are really struggling with is this new world order where they don’t necessarily own the equipment and the network and the physical assets in the public cloud. It’s all owned by the provider. There is something called the shared responsibility model, which essentially means that the provider, whether it’s Amazon, Microsoft, or Google owns everything that has to do with the physical security access, the physical hardware, and of course the network. Then everything above that, things you can configure, like the operating system, your application and the host itself are owned by you.”

Lacework’s shift left comes as more organizations adopt DevOps and a Continuous Integration and Continuous Delivery (CI/CD) approach to application development and delivery in order to rapidly scale to meet business demands. The desire to move quickly creates security gaps that can lead to data leaks, ransomware, crypto mining, and a variety of other types of issues that can leave an organization’s data exposed and vulnerable.

“Customers can’t effectively secure complex environments with a stack of security tools,” said Dan. “Shifting left is about integrating security into every aspect of the lifecycle of cloud-native workloads, irrespective of where they are developed and deployed. Enterprises move quickly and they require a solution that is complete, continuous and automated.”

“It’s really about how do you create and combine the application and the security of what you’re about to push or deploy? Then once it’s pushed, how do you look at the security and compliance from that purview? And then, with our solution, how do you combine those two together?”

The addition of DevOps security into the Lacework Complete Security Platform means that enterprises can leverage a single solution that can identify security vulnerabilities and threats throughout the data and application lifecycle. As attackers seek to exploit weaknesses within infrastructures as they grow in surface area, the Lacework Complete Security Platform will provide unique visibility, immediate threat detection, and remediation capabilities.

“The market today offers a variety of point solutions to address security needs of specific elements of the IT infrastructure – such as cloud compliance, network endpoints, application orchestration, or vulnerability detection, among others — or rely on a rules-based approach to configuration validation and other security requirements,” continued Hubbard. “We will apply our unique intrusion detection approach to detect behavioral anomalies for all DevOps, cloud, and container configurations and events.”

Lacework is the global leader in automating threat defense, intrusion detection, and compliance for cloud workloads and containers. The company’s lightweight agent provides visibility to all processes and applications within an organization’s cloud and container environments. The breadth and depth of visibility helps detect vulnerabilities and then uses Lacework’s machine learning analysis to identify anomalous behavior that poses threats.

Pat Flanders and Dan Hubbard of Lacework discuss how Laceworks shifts left