My friends in the enterprise software development community have been talking recently about “shifting left,” especially when it comes to security. As it turns out, the idea of shifting a process left on the timeline – that is to say, earlier – applies to the world of network automation and development as well.
Shifting network automation to the left is not that much of a conceptual leap, especially when we think of the recent and rapid adoption of IaC (Infrastructure as Code) and GitOps for network automation, and of configuration network devices with machine readable files such as YAML, JSON and XML and using a GitOps methodology and a Git version control system as the source of truth for infrastructure.
Many teams have seen the value of using GitOps as their single source of truth, ensuring that infrastructure is always in sync with the code itself. But as network teams and organizations have rallied to approach a more DevOps/GitOps model, what does it means to embrace shift left security for the network?
What is “Shift Left” exactly?
“Shift left” means that operational responsibilities shift leftward on the development timeline. In its most simple terms, “shift left” security is moving security to the soonest feasible point in the development process. Security should be an integral part of the software development life cycle and for network automation. So let’s look at what it means to combine security concerns with the NetDevOps model.
Taking ownership of security
Security should be at the forefront of every team’s mind when building code.
Network teams also need to automate security at day one. This is not just about the tools. It is also about people and practices. By shifting left, the idea is to test code and look for vulnerabilities as the network team is doing their work as part of the DevOps process. It is about giving the right team instant feedback so they can make a fix before it ever becomes a problem. This makes the entire process more repeatable and faster, and fits with the way the development lifecycle process works. And by automating the security process, network teams can ensure that each component gets all the security testing it requires without taking up any additional resources, thus making security a part of the development process itself. The more the network team can automate to make it a part of the development process, the less work a security team will need to do later.
As Network Automation teams have adopted a GitOps methodology, they have moved to an Agile process with continuous integration and continuous delivery (CI/CD) pipelines for faster cycles. By standardizing builds, developing tests, and automating deployments and a higher volume of releases, they have already begun the journey to shift left security. Continuous integration is the process that helps improve code quality throughout deployment pipeline. When security can be integrated early in the process, it helps organizations shift left.
However, much as manual configuration issues were a threat to the previous methodology, in a shift left setup, coding bugs even simple mistakes and misconfigurations, can have grave consequences. For example, exposing customer or company data is a real risk, especially since malicious actors are constantly scanning code repositories looking for sensitive data and known (and unknown) vulnerabilities that could expose usernames, passwords, API keys/Tokens, development tools, or even private keys. One of the key areas in continuous integration process in the is testing the of code and validation, where tools like pyATS which can be used for end-to-end testing. These tools can be integrated into CI (Continuous Integration) pipelines to run automated tests as part of development.
Look forward as well as left
The biggest takeaway of shift left for network engineers is that it helps teams discover faults or bugs earlier. Shifting left and automating the network CI/CD pipeline will dramatically improve the integration of security within the Software Development Life Cycle for network automation. As NetDevOps and security testing evolves, security scans can be automatically triggered, and can embed results directly into the CI/CD pipelines of tools like GitHub and GitLab. This also makes it easier for security and compliance to enter into the development lifecycle.
To get the full benefits of shifting left, teams need to incorporate coding standards that make it easier to trace and resolve coding bugs, and they need to practice early test cycles and approaches like in-line testing to detect bugs earlier in the development stage. And finally, to speed up testing, teams should promote automation to finally remove manual testing processes.
- See our pyATS Development Guide
- Read: Use CI/CD Pipelines for Infrastructure Configuration and Management
- Read: What’s Ahead for Cisco Developer Relations
- Explore our CML CI/CD Pipeline repo