At Armor, we simplify security and compliance for SaaS providers, securing workloads in the cloud from intrusion, theft and exposure.
“Shift Left” testing methodologies that emerged in the early 2000s helped SaaS developers address an important reality: waterfall approaches to development were unable to meet the demanding needs of accelerated technology and competition. But today’s SaaS companies move even faster and testing cycles are automated early and conducted often. The new reality of cloud computing, with virtual instances and containers adding speed and complexity to the effort, demands a reimagining of SaaS development, a kind of “Secure Left” philosophy to ensure not only success, but the very viability of new software-as-a-service providers.
Almost 20 years after the shift left movement and the introduction of agile methodologies, SaaS companies move even faster with developer teams spinning up new iterations and configurations instantly, delivered through complex cloud services and a shared responsibility that requires multiple layers of protection. Public cloud services like AWS and Azure protect the infrastructure itself, but the complexity of interconnectivity and competitive platform dynamics virtually ensures things will break with greater frequency. Therefore, SaaS companies need a broader perspective on the importance and impact of security. Without it, companies are putting themselves and their customers at risk, sometimes to devastating effect.
Take for example, a SaaS developing a simple application to track workouts. The DevOps team may not think such an app requires heavy lifting when it comes to security or compliance, only to find themselves sprinting for the exits when their first healthcare client is struck with ransomware due to bad code or an exposed Amazon S3 bucket. One Managed Service Provider to the dental industry infected over 400 locations this year—and all at once. There is no better lesson for SaaS providers: the more critical your application is, and the farther your reach, the better chance of you becoming a target and that the damage done can be substantial.
For SaaS businesses born of the cloud, a narrowed focus on rapid iteration and improvement of your applications without a wider perspective of the impact to security and compliance could leave your SaaS business exposed, over budget or even forced into bankruptcy due to a breach. Beyond the “test early and often” shift left methodologies, SaaS companies must now integrate security from the initial design stage, securing to the left the vital components to keep them in business.
Building software is a fundamentally difficult process with an array of moving parts and inter-dependencies. Initial waterfall models for development consisted of steps traditional project managers would recognize, organized into distinct phases and akin to a happy Keebler tree of assembly-line processes, milestones and timelines. Unfortunately, this resulted in a great deal of work that, in many cases, never delivered a product to market.
Next agile development methodologies evolved through the early release of evolving design and code, the daily build of code and fast turnaround of changes, and the need for deeply skilled teams. It proposed agile mechanisms that defined key software development qualities that were more important than others:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
In “Secure Left” methodologies, SaaS companies should add “Security as design over security as an add-on,” or perhaps “Security as primary objective over mere feature.” Only when this shift in the importance of security occurs will companies be able to keep up with threat actors, including internal ones.
In immunology, affinity maturation describes a process by which cells produce antibodies with increased affinity for antigens during the course of an immune response. With repeated exposures to the same antigen, a host will produce antibodies of successively greater affinities. This is a good metaphor for security in the “Secure Left” methodology. By introducing the antigen to cybercriminals early, your host team will produce ongoing and adaptive antibodies.
More importantly, the secure left approach can result in significant cost savings, better quality control, increased speed to market, and improved business continuity. Teams can reduce the cost of reworks by putting security controls in place early, and they can match compliance frameworks at the design stage to reduce auditing costs and improve quality control.
To reduce security threats, SaaS teams must begin with a design and development process that combines the Design, Development, Operations and Security teams, leveraging automation to simplify security and expedite deployment. By integrating the right security tools into the development lifecycle instead of bolting them on in a separate process, SaaS companies can add an additional layer of protection to their cloud applications and environments. Securing Left elevates business-critical security requirements and allows teams to address cloud integration, misconfigurations, bugs and other vulnerabilities before an application reaches production.
Failure to do so creates a creeping administrative and technical debt, the catch-up debt developers incur when controls or specifications are deployed “after the fact.” Failure to consider security and compliance controls early may create a string of vulnerabilities over time that can tax budgets and delivery timelines. Administrative or technical debt can even accrue when DevOps teams turn on native cloud security controls without considering alert management and response tactics. Security investments should be seen as strategic investments to avoid administrative debt. When security is guided by a strategic hand, it helps SaaS developers better understand the true value of your application and the data it must utilize and protect.
A New Call to Action for SaaS
Obviously, SaaS vendors must weigh the security functions they are willing to take on and when, realizing how those decisions affect the ability to create new code to minimize the cost of additional rework. Born-in-the-cloud SaaS startups may be wise to outsource their security functions to a third party who has the scale and expertise to protect their organization at a reasonable cost. Larger established SaaS companies with dedicated security teams already in place may be wise to leverage third-party tools for analysis and correlation.
What’s more, the secure left approach can add to your brand reputation, showcasing your security investment and building confidence with investors, employees, vendors and customers. Our partner OpenKey have integrated our security solutions from early in their development of a product in which security is vital—digital locks on hotel rooms and dormitories. They feature a powered by Armor logo on their website and materials and have made note of how it has positively impacted their brand in the marketplace.
In the end, today’s SaaS developers should ask early how security outcomes will be accomplished in a hybrid and multi-cloud world, and what tools or skills will be required to get there. They should consider the risk in choosing a single vendor and the price of getting locked in. They should also understand the process for investigation of alerts and determine who and how response will be handled. To consider all of this late in the process is no longer wise or acceptable, adding cost and administrative debt. Armor provides solutions to these now earlier challenges at a fraction of the cost of doing it yourself, and more economical than many of our competitors.
If the old approach to software development is defined by “Shift Left,” the modern equivalent is surely to “Secure Left.” As technologies like virtual machines and containers make development cycles even faster, and as efficiency and cost savings make it easier to shift priorities for security and compliance to the left side of the development life cycle, there is no excuse for SaaS developers not to improve their security posture at every step.
Read more in Armor’s white paper Simplifying Security for Software-As-A-Service.