This document discusses shift-left security, which involves moving security practices earlier into the software development lifecycle to proactively address risks rather than reactively. It notes that only 20% of organizations consistently integrate security early in DevOps processes. Shift-left security is important because traditional security teams cannot keep up with development speeds. The document outlines how to implement shift-left security through automating security practices, using control gates, and learning from production environments. It argues containers help shift security left through their minimal, declarative, and predictable nature which simplifies security requirements and policy automation.

1. Shift Left Security: What, Why & How
Joshua Thorngren, VP Marketing, Twistlock

2. What we’re
covering
today:
• What is shift-left security?
• Why is it important?
• How do you enable it?
• Q & A

3. Software is eating the world
• Every org is becoming a software org
• Software orgs need modern tools
• DevOps, containers, and cloud native are
those tools
The world is dangerous
• ‘Democratization’ of sophisticated attacks
• Security teams and SOCs overloaded
• Your own software is the softest target

4. TWISTLOCK | © 2017 | Confidential
Only 20% of organizations following
DevOps practices consistently
integrate security into the
development process.
Source: HPE | True State of Application Security & DevOps

5. TWISTLOCK | © 2017 | Confidential
Traditional Security Can’t Keep Up
• Only 15% of organizations can remediate security vulnerabilities or
address compliance issues within a day
• Organizations have to either shift cycles away from innovation, or
leave risks unaddressed.

6. Shift Left Security
Moving security practices left into the software
development lifecycle with the goal of shifting from a
reactive to a proactive security posture

7. TWISTLOCK | © 2017 | Confidential
Simple concept – difficult execution.
• Traditional security practices of manual policy creation don’t translate
to agile workflows well
• Developers and security have very different domain expertise – it’s
not just integrating the practices – it’s finding ways to communicate
• Security tooling doesn’t lend itself to dev-oriented information
surfacing.

8. 1. Security by design – establish criteria up front
2. Automate, automate, automate
3. Control gates are your friend
4. Use dev learns for better production protection

9. TWISTLOCK | © 2017 | Confidential
Containers empower security teams to
shift left more successfully than
traditional architectures

10. © 2017
Minimal
Typically single
process entities
Declarative
Built from images
that are machine
readable
Predictable
Do exactly the
same thing from
run to kill

11. 1. The minimal nature simplifies security requirements for
each artifact
2. The declarative nature allows automated analysis of
vulnerabilities and compliance
3. The predictable nature simplifies automation of policy
creation and enforcement

12. TWISTLOCK | © 2017 | Confidential
Fully Automated, Shift-Left Security
Machine
learning
Predictive
model
Automated
defense
Static
analysis
ip, category, score, first_seen,
last_seen, ports
74.88.8.7,31,65,2016-04-16,2016-
04-16,
23.16.9.49,35,125,2016-04-
11,2016-04-20,80
82.16.9.65,35,127,2016-04-
09,2016-04-21,80
Threat
intelligence
12
cache
data
fe01 fe02
© 2017

13. TWISTLOCK | © 2017 | Confidential
The Twistlock Approach
13
Build Ship Run
Compliance
Runtime defense
Access control
Cloud native firewalling
Vulnerability management

14. Questions?

15. Thank you
@twistlocklabs
@twistlockteam
josh@twistlock.com