Shift-Left Security for Decentralized Engineering Organizations: Embedding SAST, DAST, and Penetration Testing Throughout the Software Development Lifecycle in University and Research Computing Environments
DOI:
https://doi.org/10.63282/3050-922X.IJERET-V5I4P118Keywords:
Shift-Left Security, Devsecops, Decentralized Organization, Higher Education, Research Computing, SAST, DAST, Penetration Testing, SDLC, Opt-In Security Platform, Federated EngineeringAbstract
Shift-left security in a single product engineering organization is a well-documented practice. Adapting the same patterns to a decentralized engineering organization, in which multiple independently governed teams ship software on heterogeneous timelines using heterogeneous tooling, requires additional attention to consent, autonomy, and the operational realities of cross-team coordination. University research computing environments are a representative instance of this organizational shape. This paper describes the design and rollout of a shift-left security program in a decentralized higher-education engineering setting. The program embeds Static Application Security Testing, Dynamic Application Security Testing, and penetration testing throughout the software development lifecycle, but it does so through invitation and incentive rather than through top-down mandate. The paper covers the rationale for the design choice, the architecture of the central platform components that teams opt into, the developer-facing artifacts that lower the cost of adoption, the integration patterns with the heterogeneous continuous integration systems in use across teams, and the metrics that track program reach and effectiveness over time. The paper closes with a discussion of how the same patterns transfer to other decentralized engineering organizations such as large enterprises with federated product groups, scientific computing collaborations, and open-source project ecosystems. The intent is to document a practical approach that engineering organizations whose authority structure does not support a security mandate can use to nonetheless drive substantive improvements in their security posture.
References
[1] Open Web Application Security Project. OWASP Top Ten Web Application Security Risks, 2021 edition. https://scholar.google.com/scholar?hl=en&q=OWASP Top Ten Web Application Security Risks, 2021 edition
[2] SonarSource. SonarQube static analysis platform documentation. https://scholar.google.com/scholar?hl=en&q=SonarQube static analysis platform documentation
[3] International Business Machines Corporation. IBM Security AppScan dynamic application security testing documentation. https://scholar.google.com/scholar?hl=en&q=IBM Security AppScan dynamic application security testing documentation
[4] National Institute of Standards and Technology. Secure Software Development Framework, NIST Special Publication 800-218. https://scholar.google.com/scholar?hl=en&q=Secure Software Development Framework, NIST Special Publication 800-218
[5] National Institute of Standards and Technology. Application Security Verification Standard, OWASP ASVS 4.0.3. https://scholar.google.com/scholar?hl=en&q=Application Security Verification Standard, OWASP ASVS 4.0.3
[6] Open Web Application Security Project. OWASP Software Assurance Maturity Model, version 2.0. https://scholar.google.com/scholar?hl=en&q=OWASP Software Assurance Maturity Model, version 2.0
[7] Building Security In Maturity Model. BSIMM annual industry report, Synopsys. https://scholar.google.com/scholar?hl=en&q=BSIMM annual industry report, Synopsys
[8] National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity, NIST Cybersecurity Framework 2.0. https://scholar.google.com/scholar?hl=en&q=Framework for Improving Critical Infrastructure Cybersecurity, NIST Cybersecurity Framework 2.0
[9] National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5. https://scholar.google.com/scholar?hl=en&q=Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5
[10] EDUCAUSE. Higher Education Information Security Council resources and annual security survey. https://scholar.google.com/scholar?hl=en&q=Higher Education Information Security Council resources and annual security survey
[11] Internet2. Trust and Identity in Education and Research community documentation. https://scholar.google.com/scholar?hl=en&q=Trust and Identity in Education and Research community documentation
[12] United States Office of Management and Budget. Memorandum M-22-09, Moving the US Government Toward Zero Trust Cybersecurity Principles. https://scholar.google.com/scholar?hl=en&q=Memorandum M-22-09, Moving the US Government Toward Zero Trust Cybersecurity Principles
[13] Cybersecurity and Infrastructure Security Agency. Secure by Design and Default principles. https://scholar.google.com/scholar?hl=en&q=Secure by Design and Default principles
[14] Atlassian. Bamboo continuous integration server documentation. https://scholar.google.com/scholar?hl=en&q=Bamboo continuous integration server documentation
[15] Jenkins project. Jenkins user documentation. https://scholar.google.com/scholar?hl=en&q=Jenkins user documentation
[16] GitHub. GitHub Actions documentation. https://scholar.google.com/scholar?hl=en&q=GitHub Actions documentation
[17] GitLab. GitLab CI/CD documentation. https://scholar.google.com/scholar?hl=en&q=GitLab CI/CD documentation
[18] United States Department of Education. Family Educational Rights and Privacy Act, 20 U.S.C. 1232g. https://scholar.google.com/scholar?hl=en&q=Family Educational Rights and Privacy Act, 20 U.S.C
[19] United States Department of Health and Human Services. Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C. https://scholar.google.com/scholar?hl=en&q=Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C
