ShiftLeft scans are usually configured to operate in scan-only mode during the first few weeks. However, once your teams are familiar with the functionality of the tool and its configuration, it is essential to make ShiftLeft a mandatory check (along with code reviews) to protect the application branches.
Furthermore, ShiftLeft is, by design, an un-opinionated platform. As such, it may not produce optimized results with the vulnerabilities assigned the correct severity level and optics based on your application risk profile.
Once you have several applications integrated with your CI/CD platforms and scanned regularly, the ShiftLeft team can help you tune the platform for the needs of your organization and applications by:
- Identifying and configuring the scanning rules based on your application and team needs
- Assisting with the configuration of the CI/CD pipeline to reduce scan times and unhelpful results
- Customizing policies or authoring custom policies to increase/decrease the scope of analysis
- Creating custom integration scripts
The objective of this phase is to configure and customize the platform based on the AppSec and workflow needs of your teams. We also recommend allowing users to provide feedback or enhancement requests to the product team during your working sessions.
Week 4 tasks
|Security champions||Identify applications that would benefit from configuration and customization of the scanning process and participate in working sessions with ShiftLeft|
|AppSec||Organize working sessions by inviting Security Champions belonging to various teams|
|ShiftLeft||Organize demos and working sessions to demonstrate build rules, configurations, and policy authorship|
|DevOps||Configure Git and CI platforms to make ShiftLeft scanning a mandatory step for pull requests and merges|
|ShiftLeft||Raise internal review tickets to identify any gaps or missing policies that might affect the quality of results|
|ShiftLeft||Collect product enhancement requests and feedback|