The importance of ‘Shift-Left’ testing in the SDLC!
What is ‘shift-left’ in the field of DevOps and security? Traditional testing is done in the QA stage of the software development process which happens in the later phases during runtime after the source code has been compiled. This means that bugs are typically identified late in the lifecycle particularly for older methods of development practices such as the waterfall model. The most common problem with this approach is the time allocated towards the end of application development for thorough testing is compromised. This results in products frequently being deployed without sufficient verification. From requirement analysis to launch and maintain, there can be many different teams involved so is it fair that only the testing team should be responsible for quality and security?
William Edwards Deming, a management consultant and academic, is widely acknowledged as the leading management thinker in the field of quality and well known for saying “quality is the responsibility of all”. This refers to the need for everyone in an organization to focus on cooperation and continual improvement in processes, products and services. The testing and QA teams in application development are not alone in ensuring the delivery of high-quality source code and secure software. Leaders have to take responsibility for creating awareness that quality is the domain of all staff and apply the proper governance and oversight to manage it. Shift-left testing is done earlier in the SDLC in parallel to code development and makes the developer a responsible party for ensuring the code quality is high and defect-free. ‘Shift-right’, the traditional testing phase, does not go away as some bugs can only be found in runtime. They should both be used to complement each other. One significant difference between shift-left and shift-right is that the remediation time for errors is greatly reduced because defect detection starts early. In this regard, shift-left is actually part of the continuous testing process that happens across all stages of the Software Development Lifecycle (SDLC).
There are four main advantages of ‘shift-Left’ testing.
- – The software has a better design as you identify problematic areas and potential bottlenecks whilst implementation takes place.
- – Earlier bug fixing saves the developer from having to recall details of the source code that was potentially written weeks or months before.
- – Remediation cost and time are greatly reduced allowing your application to get to market on time.
- – The risks of security concerns are mitigated.
At Xcalibyte, we strongly advocate the practice of secure coding. In the past developers were not keen on taking a secure coding approach due to concerns of delays and complications. But things have changed due to automation and analysis tools such as those for Static Application Security Testing (SAST). These are tools that scan source code before it is compiled to identify poorly written code, non-compliant code and potential vulnerabilities. Because of the need to ensure testing is done across the lifecycle, finding a solution that can work seamlessly with your development environment is key to avoid it becoming a bottleneck.
As secure coding becomes a more prominent goal for executives, the use of SAST is seeing growth within organisations around the world and now in China. This does not come without its challenges. Many organizations struggle to build a culture around secure coding as it is hard to change old habits and ensure automated security controls are embedded in the development process. The cost of remediation and the enormous costs of security breaches should be enough incentive for CTOs and CEOs to make the change yet there is always the counter-pressure coming from the market opportunity and demand. You only need to look at the damaging incidents of IoT device companies such as Xiaomi, to understand how a lack of emphasis on secure coding can impact them. The rush to get products to market as quickly as possible has had detrimental effects on companies. Xiaomi (or example, recently saw one of its home surveillance cameras receive images from different cameras around the world. This happened even without the devices being hacked by a malicious attacker. As a result, Google immediately blocked Xiaomi from its Nest smart home products, impacting its sales.
To give you an idea of the cost savings that can be created by using SAST tools, we can refer a study by the Systems Sciences Institute at IBM. they found that it would cost a company 6 times more to fix a bug during implementation than it would be to fix it during design. The cost of fixing during testing would be 15 times more than during design. Worse still, it is 100 times or more costly to fix after the product has been released.
Xcalibyte’s enterprise SAST tool is Xcalscan. Through a combination of using compiler-level technology for more in-depth source code analysis and by building rules that give greater compliancy to software standards such as CERT, Xcalscan is able to deliver a high level of accuracy for defect detection and strong compliance to industry standards. Xcalscan has been designed to work seamlessly within your development environment and can be tailored for specific requirements such as CI/CD.
To adopt shift-left testing a company must embrace a quality-first mindset and a security by design approach. In practical terms this means job descriptions need to be broadened, investments must be made in training and testing teams must work more closely with development teams. Everyone must be in synch. Remember, quality is the responsibility of all.