Shift Left vs Shift Right Security Testing

PUBLISHED ON August 24, 2021
LAST UPDATED Aug 24, 2021

Shift Left. No wait, shift right! No, LEFT… Oh no, you just got run down… 

APIs are the building blocks of modern web applications, and at ThreatX, we’re seeing an API explosion in the production sites we protect for our customers. In our customers’ sites, it’s not uncommon to see dozens, or even hundreds, of API endpoints servicing the traffic proxied through a single site. 

That’s a massive playing field for attackers to exploit!  Protecting that attack surface is tricky business.  

Mature application development organizations have established a “shift-left” security posture, embedding Security Champions in development teams to monitor and coach developers in matters of defensive coding practices. They’ll have instituted source code scanning to ensure there are no known vulnerabilities hiding in shared opensource libraries. They’ll use scanning solutions to run SAST and DAST scans against compiled object code before that code gets to production. And they’ll remediate critical vulnerabilities before stuff gets deployed to Prod.  

But mature organizations will also have built tooling that allows them to spin up new cloud infrastructure at the speed of DevOps. They’ll have a pipeline that often takes code to production within hours of developers checking it in. Canary deployments are great, but those powerful DevOps tools can result in a really porous “net” that allows zombie API endpoints to stay deployed long after they should have been reaped. And the same tooling can allow rogue API endpoints to make it to production 

 without going through the security checks and balances noted above. 

ThreatX recently launched an API Catalog capability, to provide enterprises visibility into legitimate, rogue, and zombie APIs. We take a protection-first approach to APIs, sanitizing traffic that we proxy to origin servers and at the same time cataloging API endpoints to provide application owners with visibility into what’s actually drawing traffic, whether that traffic is legit or sketchy AF.   

Don’t just stand there in the middle of the road shifting left, then right, then left again. Get the best of both shifts with ThreatX API protection

To find out why ThreatX customers recommend our web application and API protection platform to their peers, schedule a demo today


About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.