The importance of ‘Shift-Left’ testing in the SDLC!
What is ‘shift-left’ in the field of DevOps and security? Traditional testing is done in the QA stage of the software development process which happens in the later phases during runtime after the source code has been compiled. This means that bugs are typically identified late in the lifecycle particularly for older methods of development practices such as the waterfall model. The most common problem with this approach is the time allocated towards the end of application development for thorough testing is compromised. This results in products frequently being deployed without sufficient verification. From requirement analysis to launch and maintain, there can be many different teams involved so is it fair that only the testing team should be responsible for quality and security?
There are four main advantages of ‘shift-Left’ testing.
- – The software has a better design as you identify problematic areas and potential bottlenecks whilst implementation takes place.
- – Earlier bug fixing saves the developer from having to recall details of the source code that was potentially written weeks or months before.
- – Remediation cost and time are greatly reduced allowing your application to get to market on time.
- – The risks of security concerns are mitigated.
At Xcalibyte, we strongly advocate the practice of secure coding. In the past developers were not keen on taking a secure coding approach due to concerns of delays and complications. But things have changed due to automation and analysis tools such as those for Static Application Security Testing (SAST). These are tools that scan source code before it is compiled to identify poorly written code, non-compliant code and potential vulnerabilities. Because of the need to ensure testing is done across the lifecycle, finding a solution that can work seamlessly with your development environment is key to avoid it becoming a bottleneck.
As secure coding becomes a more prominent goal for executives, the use of SAST is seeing growth within organisations around the world and now in China. This does not come without its challenges. Many organizations struggle to build a culture around secure coding as it is hard to change old habits and ensure automated security controls are embedded in the development process. The cost of remediation and the enormous costs of security breaches should be enough incentive for CTOs and CEOs to make the change yet there is always the counter-pressure coming from the market opportunity and demand. You only need to look at the damaging incidents of IoT device companies such as Xiaomi, to understand how a lack of emphasis on secure coding can impact them. The rush to get products to market as quickly as possible has had detrimental effects on companies. Xiaomi (or example, recently saw one of its home surveillance cameras receive images from different cameras around the world. This happened even without the devices being hacked by a malicious attacker. As a result, Google immediately blocked Xiaomi from its Nest smart home products, impacting its sales.
To give you an idea of the cost savings that can be created by using SAST tools, we can refer a study by the Systems Sciences Institute at IBM. they found that it would cost a company 6 times more to fix a bug during implementation than it would be to fix it during design. The cost of fixing during testing would be 15 times more than during design. Worse still, it is 100 times or more costly to fix after the product has been released.
To adopt shift-left testing a company must embrace a quality-first mindset and a security by design approach. In practical terms this means job descriptions need to be broadened, investments must be made in training and testing teams must work more closely with development teams. Everyone must be in synch. Remember, quality is the responsibility of all.