The benefits of shift-left testing, which moves software testing earlier in the SDLC, have been widely promoted: earlier bug detection, cheaper fixes, faster releases, and better overall quality and value for customers and stakeholders. Adoption has been strong, with one notable exception: security testing.
While some organizations have started to get on board with shift-left for security testing, many still focus solely on penetration tests, which are authorized, simulated cyberattacks on a computer system conducted just before release into production. Relegating security testing to the end of the line means that any vulnerabilities built into the code get a free ride into higher, more complex and integrated environments, where they can dig in and be harder and costlier to fix.
“New security vulnerabilities are constantly cropping up,” says Dayasagar Siddapura Krishnappa, VP of Qualitest’s Cyber Security Delivery. “That’s why we need continuing, end-to-end testing, starting with scanning the source code the moment developers begin writing it and then embedding testing all the way through the SDLC in an automated CI/CD pipeline. If you’re deploying at production, it’s already too late.”
Shift-left testing often necessitates a shift in attitudes and practices as well. A DevOps methodology—called DevSecOps when security is incorporated—is essential to manage the short sprints, constant releases, nonstop automated feedback and cross-collaboration required. It’s a lot of change for some stakeholders, and they don’t always embrace it right away.
To build trust and gain consensus, Daya recommends starting small. “If you go into a big organization, they’ll have multiple projects and hundreds of different source code repositories and so many projects going on. We don’t want to take a Big Bang approach, where we’re deploying these tools for every repository and every pipeline. Instead, we’ll start with a small pilot project. like a proof of concept, so we can demonstrate the advantages with minimal disruption.”
A complete suite of security scans will examine applications from the source code and design through higher environments, looking from the inside out and outside in, testing open source and third-party libraries and more. The scans should be done by security engineers, not functional or automation engineers, and cover:
“Companies doing only penetration testing on release candidates are performing none of these,” Daya comments. “As just one example of what ignoring those tests can mean to quality, take Apache log4j®, a Java-based open-source software. In 2021, a vulnerability in its logging library exposed hundreds of millions of devices to malicious attacks exposed hundreds of millions of devices to malicious attacks. An SCA test could have identified that vulnerability and it could have been fixed way before release.”
Since automation goes hand in hand with effective shift-left, how should you go about finding the right tools and platforms? Every company is different, with different goals and its own culture and environment. The right automation framework and tools require careful, customized consideration.
Before recommending an automation framework, quality engineers assess the company’s current capabilities and practices using a checklist of areas and factors such as:
Find out how specialized security testing, enhanced by shift-left, can keep your company and your customers safer from cyber attacks. Talk to our experts now.