The web application development industry is driven by data. Every decision we make is backed by mountains of information, but have we been looking in the right place to get this data?
We’re experiencing massive data bottlenecks. We have more information than ever before, but decision-making feels like it’s only gotten harder. This is because we’re missing data from the runtime environment in our CI/CD development pipelines.
Here’s why runtime data is what your dev team has been missing to improve your shift left development.
What is Shift Left?
In a very broad sense, shift left is the process of bringing security, evaluation, and quality control earlier into the development process.
The last decade has seen a lot of change when it comes to shift left. We’ve successfully integrated huge amounts of security value into the development pipeline itself.
We’re no longer chasing security threats, but responding to them ahead of time by building more robust software. However, there are some major hurdles that are holding back the next wave of changes when it comes to shift left.
The Biggest Data Barrier to Shifting Left
Application developers usually start to hit some major hurdles in the shift left process when we consider the data we get in the CI/CD pipeline and try to make a decision about blocking potential threats. Making good decisions has always been data-driven, so traditional wisdom says get more data.
The problem is that shift-left approaches often leave us overly relying on static data. We conduct rounds of code scanning, scan containers, and even use IaC scanning to add data to the pile. However, this is just throwing data at the problem.
It’s not about amassing huge piles of pipeline data—it’s about looking at the one big source of missing data in our pipeline. We need to get runtime data back into the pipeline.
Bringing Runtime Data into the Pipeline
The next big evolution in security tools is bringing runtime data back into the pipeline.
Runtime information is currently, and unfortunately, segregated into its own data silo. Pipeline and runtime are often considered distinct environments or separate phases of development. This misses the point that the pipeline feeds directly into the runtime and what we learn in the runtime can be taken back to help developers prioritize vulnerabilities in their code.
Using runtime data to inform the decisions we make in the pipeline can take many forms. We can look at the information that we gained during comprehensive staging tests to make decisions about application security. We can also use information gained from past runtime tests to make decisions about future development processes.
The most valuable data out there right now won’t be found in another code scanning session, but in a real-world runtime environment where your application is actually being used.
Why Runtime Data is so Important
It’s hard to overstate the importance of runtime data. The runtime environment is where your application is going to interact with the end user, as well as potential cybersecurity threats.
The runtime environment is going to be the most dynamic and rapidly changing space in which your application exists. This is where your app is going to be interfacing with APIs, other applications, users and potential hackers. Here’s a specific example of how runtime data can improve security decision-making.
Runtime data shows you how users interact with your app. It also shows you the libraries that actually get used in the app. This can allow your team to, for example, prioritize securing the libraries that are actually being used while lowering the priority of libraries that don’t get used.
The data that you get in the runtime environment is priceless. Integrating this information back into the pipeline is the piece of the puzzle that you’ve been missing to make better security decisions and streamline vulnerability fixes.
Key Takeaways: Runtime Data and Shift Left
The entire goal of the shift left philosophy has been to streamline application development. Shift left is about moving the entire development process into the pipeline, and why shouldn’t that include the data that we got from a runtime environment?
Runtime data is what your development team has been missing when it comes to streamlining the decision-making process. Keep these three key takeaways in mind when using runtime data to address vulnerabilities in your application.
- The biggest hurdle in decision-making is currently an over-reliance on static data from scans and an absence of runtime data in the pipeline
- Runtime data can be brought back into the pipeline by using information gained during staging tests or in previous runtime deployments
- This information allows you to gain vital insight into how your application is it going to interact with APIs, other applications, end users, and even potential cybersecurity risks