Shifting Left in AppSec: A Lesson from Benjamin Franklin

In the bustling city of Philadelphia during the 18th century, fire was a constant and terrifying threat. Wooden structures, open flames, and a lack of organized firefighting resources made the city vulnerable to devastating blazes. It was in this environment that Benjamin Franklin, a man of foresight and innovation, took action.

In 1736, Franklin observed the destructive power of fires and understood that waiting until a fire broke out to respond was a flawed approach. He helped establish the Union Fire Company, one of America’s first volunteer fire-fighting organizations, promoting a proactive stance on fire safety.

Franklin advocated for preventive measures like building codes, fire-resistant materials, and regular chimney cleaning. His wisdom was encapsulated in the now-famous saying, “An ounce of prevention is worth a pound of cure.”

This adage emphasized the importance of prevention over cure—a philosophy that resonates deeply with today’s cybersecurity landscape, particularly in the realm of application security (AppSec).

The Modern-Day Fire: Security Vulnerabilities

Fast forward to the 21st century, and the threat of fire has been replaced by the threat of security vulnerabilities. In the hectic world of software development, sadly security is often an afterthought, addressed only when a vulnerability is discovered or, worse, exploited. This reactive approach can lead to significant damage, much like the fires that ravaged Franklin’s Philadelphia.

However, a paradigm shift known as “shifting left” in AppSec is changing this approach. Shifting left means integrating security practices early in the Software Development Life Cycle (SDLC), ensuring that potential issues are identified and mitigated from the outset, rather than waiting until the end of the development process or after deployment.

The Analogy: Fire Prevention and Shifting Left

Benjamin Franklin’s approach to fire prevention offers a perfect analogy for the shift-left movement in AppSec. Just as Franklin emphasized proactive fire prevention to protect his city, shifting left emphasizes early intervention to protect software applications.

  1. Proactive Measures: Franklin’s proactive measures to prevent fires—like advocating for fire-resistant materials and proper maintenance—mirror the proactive measures in AppSec, such as conducting threat modeling and integrating security tools early in the SDLC. By addressing potential vulnerabilities from the beginning, we can prevent them from becoming critical issues.
  2. Cost-Effectiveness: Franklin understood that preventing fires was far less costly than dealing with their aftermath. Similarly, fixing security issues early in the development process is more cost-effective than addressing them post-deployment, where remediation is more complex and expensive.
  3. Continuous Vigilance: Franklin’s Union Fire Company represented continuous vigilance and readiness to respond to fires. In AppSec, this translates to continuous security testing, regular code reviews, and ongoing threat assessments, maintaining a robust security posture throughout the development lifecycle.
  4. Community Involvement: Just as Franklin involved the community in fire prevention, shifting left involves the entire development team in security practices. Developers, testers, and security professionals work collaboratively to build secure software, fostering a culture of shared responsibility for security.

Practical Steps to Shift Left in AppSec

Aspect Fire-Fighting Prevention AppSec Shifting Left Practices
Proactive Measures Implementing fire-resistant materials, regular chimney cleaning Conducting threat modeling, integrating security tools early
Cost-Effectiveness Lower costs by preventing fires before they start Reducing costs by fixing vulnerabilities early in development
Continuous Vigilance Establishing volunteer fire brigades, regular fire drills Continuous security testing, regular code reviews
Community Involvement Engaging community in fire safety education and drills Involving the entire development team in security practices
Preventive Tools Fire alarms, smoke detectors, fire-resistant building materials Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)
Training and Education Educating citizens on fire safety measures Providing ongoing security training for developers
Automated Prevention Automatic sprinkler systems Automating security tests in CI/CD pipeline
Collaboration Coordinated efforts between firefighters and community Promoting collaboration between developers, testers, and security teams
Response Preparedness Regular fire drills and readiness plans Preparedness for quick vulnerability fixes and patch deployments
Maintenance Regular inspections and maintenance of fire safety equipment Regular updates and patches to security tools and libraries

Conclusion

Benjamin Franklin’s timeless wisdom that “An ounce of prevention is worth a pound of cure” is as relevant today in the realm of application security as it was in 1736. By shifting left and integrating security early in the development process, we can prevent vulnerabilities before they become critical issues, saving time, money, and resources while ensuring the safety and security of our applications and data.

So listen to the advice of the guy whose face is literately on the 100$ bill and invest more preventing problems, rather then dealing with them.