{"id":12078,"date":"2022-05-24T09:48:58","date_gmt":"2022-05-24T08:48:58","guid":{"rendered":"https:\/\/42crdev.prexihost.com\/?p=12078"},"modified":"2022-11-22T11:51:26","modified_gmt":"2022-11-22T11:51:26","slug":"when-shift-left-is-more-than-a-marketing-campaign","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/when-shift-left-is-more-than-a-marketing-campaign\/","title":{"rendered":"When Shift-Left is more than a marketing campaign"},"content":{"rendered":"<p>Earlier this month I had the chance to join my new colleagues from 42Crunch at our all-hands in Ireland and I couldn\u2019t be more excited that there\u2019s something special that we\u2019re building here. Setting aside that Cork and Kinsale are some of the prettiest places I\u2019ve ever visited, I was able to see how passionate the 42Crunch team is about an approach that\u2019s new to me as someone who\u2019s been in this space for a while \u2013 developer-first security.\u00a0 While many in the application security world pay lip service to \u201cshift-left\u201d our team has lived and breathed this approach for the past five years.<\/p>\n<p>If you aren\u2019t familiar with \u201cshift-left\u201d, it refers to the idea that the earlier you bake security into your product lifecycle (which moves from left to right), the more effective your security will be because security will be inherent in the design of your application. This is not to say that having security on the right where your application is running isn\u2019t valuable \u2013 it absolutely is and will continue to be. But if you have the opportunity to shift left the advantages are many:<\/p>\n<table id=\"tablepress-6\" class=\"tablepress tablepress-id-6\">\n<thead>\n<tr class=\"row-1 odd\">\n<th class=\"column-1\">Shift-Left<\/th>\n<th class=\"column-2\">Shield-Right<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-hover\">\n<tr class=\"row-2 even\">\n<td class=\"column-1\">Developers precisely define and validate the way users interact with the application.<\/td>\n<td class=\"column-2\">Monitoring and analytics tools try to discern malicious traffic from normal traffic and raise alerts for SecOps to chase down.<\/td>\n<\/tr>\n<tr class=\"row-3 odd\">\n<td class=\"column-1\">Developers consistently follow security best practices as they build the application.<\/td>\n<td class=\"column-2\">Security teams find issues and have to go back to developers to fix them when they\u2019ve already moved on to the next project.<\/td>\n<\/tr>\n<tr class=\"row-4 even\">\n<td class=\"column-1\">Functional and security testing can happen at the same time because the design encapsulates both.<\/td>\n<td class=\"column-2\">Security testing is done by security using generic and coarse grained tools.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>Why APIs are suited for shift-left<\/b><\/p>\n<p>One key challenge with shifting left when it comes to web applications is that there is no blueprint that developers can follow to ensure that they\u2019re following consistent guidelines around designing a secure application. This is because applications are heterogeneous by nature and can\u2019t be constrained to a set of design standards.<\/p>\n<p>But APIs are different. Since 2015, the <a href=\"https:\/\/www.openapis.org\/\" target=\"_blank\" rel=\"noopener\">OpenAPI Initiative<\/a> has published standards by which developers can document the design of their REST APIs. These designs are encapsulated in Open API Specification (OAS) files, also known as Swagger files.<\/p>\n<p>Because an OAS file includes everything from authentication protocols to input\/output data types to status codes in a machine readable format, it is the obvious place to start when looking for potential security vulnerabilities. Inspecting an OAS file for example might show you that an Array doesn\u2019t have a maximum number of items defined, leaving you exposed to an injection or memory overflow attack.<\/p>\n<p>What if there was a tool that could audit an OAS file as it was being written and provide an instant list of security recommendations for the developer to review without having to leave her IDE? As one recent customer put it \u2013 that\u2019s about as left as you can shift!<\/p>\n<p><b>But how do you get developers on board?\u00a0<\/b><\/p>\n<p>Apart from the most security minded developers, most won\u2019t go out of their way to use a security tool, especially if it negatively impacts their primary goal \u2013 shipping code quickly. If you want adoption, you must give them something that adds value and saves time while providing security as an added benefit.<\/p>\n<p>This is exactly what 42Crunch has done. Our OAS editor and audit tools provide a ton of time saving features like schema validation and autocomplete. Because of this, we\u2019ve seen tremendous adoption to the tune of over <b>450,000<\/b> developers who have installed our plugin from the marketplaces for the <a href=\"https:\/\/42crunch.com\/free-tools\/\" target=\"_blank\" rel=\"noopener\">top 3 IDEs<\/a> on the market (up from only 230K at the same time last year). And with security auditing embedded in a tool that\u2019s already been embraced by developers, AppSec teams have an entry point to validate that APIs are being designed securely without blocking or slowing down release cycles.<\/p>\n<p><b>Cool story bro, but how does this help me now?<\/b><\/p>\n<p>You might be thinking to yourself, an API design audit sounds great but I have a ton of APIs in the wild that I need protected now. To answer this I would steal a quote from one of our co-founders \u2013 \u201cHow can you protect what you don\u2019t understand?\u201d In other words, you may have a dynamic testing tool or a runtime protection tool that you\u2019re considering to secure your APIs. But are those tools applying the context of the API\u2019s design when in use? If so, do they provide any assurance that the API\u2019s design is secure? If not, they are essentially doing <i>guesswork<\/i>. It may be highly sophisticated AI-driven guesswork, but it\u2019s still just guesswork.<\/p>\n<p>Contrast this with the 42Crunch <a href=\"https:\/\/42crunch.com\/api-conformance-scan\/\" target=\"_blank\" rel=\"noopener\">Conformance Scanner<\/a> and <a href=\"https:\/\/42crunch.com\/micro-api-firewall-protection\/\" target=\"_blank\" rel=\"noopener\">API Firewall<\/a>, both of which use the context derived from the OAS file when scanning and protecting an API, and you have a best-in-class API security toolset that truly embodies the term DevSecOps. The Scanner validates that your API is implemented the way it was designed and can be seamlessly integrated with all major CI\/CD pipelines. The API Firewall enforces a positive security model that only allows requests and responses that align with the API\u2019s design and can be deployed across a wide range of cloud-native environments.<\/p>\n<p>If you\u2019ve been reading this far, you\u2019re either a family member of mine or you\u2019re really interested in what we\u2019re up to at 42Crunch. If it\u2019s the latter, feel free to contact me at <a href=\"mailto:tom@42crunch.com\">Tom Chang<\/a> and I\u2019m happy to drone on about all the cool stuff we\u2019re working on.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this month I had the chance to join my new colleagues from 42Crunch at our all-hands in Ireland and I couldn\u2019t be more excited that there\u2019s something special that we\u2019re building here. Setting aside that Cork and Kinsale are some of the prettiest places I\u2019ve ever visited, I was able to see how passionate [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":12228,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"Building security into the API development cycle makes sense. ","_seopress_titles_desc":"Learn why building security into the API development lifecycle as early as possible (Shift-Left) makes sense.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[14,20],"class_list":["post-12078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security","tag-shift-left"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/12078"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=12078"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/12078\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/12228"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=12078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=12078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=12078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}