One of the common buzz phrases you hear in API security is “shifting left.“ It simply means you should be doing more to secure your APIs earlier in the API life cycle, rather than waiting until after you’ve deployed your API. If you look at the API life cycle as a linear left-to-right motion, shifting left equates to pushing things out earlier. Shifting left is essential for security, but you shouldn’t stop there–there are many other elements you might want to consider shifting left as well.
- Lifecycle - It can be difficult to know exactly what “shift left” means if you don’t have a shared definition of the API life cycle. Once you begin to nail down a vocabulary to describe it, shifting left becomes much more feasible.
- Testing - Testing should not only occur after an API is up and running. More teams are finding it beneficial to begin crafting tests before an API has been deployed, using design-led or other earlier approaches to testing.
- Security - It is feasible to move security to the earlier define and design stages of the life cycle. Shifting security left also helps teams develop more secure APIs before a security review is done.
- Governance - It is not ideal to begin with governance by enforcing rules via the CI/CD system. Shifting governance to the define, design, and development stages of the API life cycle helps to deliver consistent APIs.
- Integrated Development Environment (IDE) - A developer’s integrated development environment (IDE) is a great place to shift testing, security, and governance left in the API life cycle, providing teams with CLI, extensions, and other essential enablement tools.
- Reviews - Design, quality, and security reviews provide an opportunity to shift processes left in the API life cycle, centering reviews around API workspaces, then making reviews self-service, automated affairs.
- Education - The API life cycle provides a significant opportunity for making API education more modular and snackable. In addition to shifting left, you will make g API and life cycle literacy available at every stage of the process.
- Strategy - While you’re down in the weeds with each API at different stages of the life cycle, you have an opportunity to connect the dots of the tactical activities to where they fit into the wider domain, enterprise, or industry API strategy.
Shifting left is often accompanied by a “shield right” philosophy, which means that you have a feedback loop for handling things when they go wrong. For example, if there is a security breach, you have procedures for how to respond, address, and communicate information about the failure.
A balanced “shift left and shield right” approach acknowledges that you need to plan earlier in the API life cycle to address some of the common challenges of API operations, but you also need to respond, evolve, iterate, and grow based upon successes and failures.