The benefits of shift-left testing, which moves software testing earlier in the SDLC, have been widely promoted: earlier bug detection, cheaper fixes, faster releases, and better overall quality and value for customers and stakeholders. Adoption has been strong, with one notable exception: security testing.  

While some organizations have started to get on board with shift-left for security testing, many still focus solely on penetration tests, which are authorized, simulated cyberattacks on a computer system conducted just before release into production. Relegating security testing to the end of the line means that any vulnerabilities built into the code get a free ride into higher, more complex and integrated environments, where they can dig in and be harder and costlier to fix.   

New security vulnerabilities are constantly cropping up,” says Dayasagar Siddapura Krishnappa, VP of Qualitest’s Cyber Security Delivery. “That’s why we need continuing, end-to-end testing, starting with scanning the source code the moment developers begin writing it and then embedding testing all the way through the SDLC in an automated CI/CD pipeline. If you’re deploying at production, it’s already too late.”  

To make big changes, start small

Shift-left testing often necessitates a shift in attitudes and practices as well. A DevOps methodology—called DevSecOps when security is incorporated—is essential to manage the short sprints, constant releases, nonstop automated feedback and cross-collaboration required. It’s a lot of change for some stakeholders, and they don’t always embrace it right away.  

To build trust and gain consensus, Daya recommends starting small. “If you go into a big organization, they’ll have multiple projects and hundreds of different source code repositories and so many projects going on. We don’t want to take a Big Bang approach, where we’re deploying these tools for every repository and every pipeline. Instead, we’ll start with a small pilot project. like a proof of concept, so we can demonstrate the advantages with minimal disruption.”  

Putting security to the test

A complete suite of security scans will examine applications from the source code and design through higher environments, looking from the inside out and outside in, testing open source and third-party libraries and more. The scans should be done by security engineers, not functional or automation engineers, and cover:     

  • SAST (Static Application Security), which involves scanning the source code. This is white-box testing, from the inside out, providing in-depth visibility to source code and design documents.  
  • DAST (Dynamic Application Security), which simulates real-time attack scenarios on the application in a black-box mode—from the outside in.  
  • IAST (Interactive Application Security), in which testers run an agent in the application that identifies the vulnerabilities at an interactive level, as when automation scripts are run or the application is manually accessed.   
  • SCA (Software Composition Analysis), which scans all the open-source/third-party libraries in use for vulnerabilities and licensing issues.   
  • SCT (Security Controls Testing), where security tests are automated and integrated into the CI/CD pipeline just like functional tests. 

“Companies doing only penetration testing on release candidates are performing none of these,” Daya comments. “As just one example of what ignoring those tests can mean to quality, take Apache log4j®, a Java-based open-source software. In 2021, a vulnerability in its logging library exposed hundreds of millions of devices to malicious attacks exposed hundreds of millions of devices to malicious attacks. An SCA test could have identified that vulnerability and it could have been fixed way before release.”

Automation checklist: Finding the right tools for your company

Since automation goes hand in hand with effective shift-left, how should you go about finding the right tools and platforms? Every company is different, with different goals and its own culture and environment. The right automation framework and tools require careful, customized consideration.   

Before recommending an automation framework, quality engineers assess the company’s current capabilities and practices using a checklist of areas and factors such as:  

  • CI/CD Integration 
  • Cloud Support 
  • Container/Image Scanning 
  • Custom Policies & Rules 
  • Dashboards  
  • DAST, SAST, SCA, IAST Solutions  
  • Deep Binary Scanning 
  • IaC Scanning (Infrastructure as Code) 
  • IDE Integration 
  • Maintenance and Support 
  • Opensource/Commercial 
  • SBOM (Software Bill of Materials Feature) 
  • Technology Supported 
  • User Management 
  • Vulnerability Database 

Key takeaways

  1. Despite its proven benefits, shift-left has not been widely adopted for security testing. Continued reliance on penetration tests performed pre-production exposes source code unnecessarily to vulnerabilities throughout the SDLC.  
  2. The collaborative, sprint-based approach that is essential for effective shift-left testing requires a cultural and organizational shift as well. To build trust and overcome resistance, a proof of concept is often helpful. 
  3. A full suite of security scans, including SAST, DAST, IAST and SCA, embedded in the CI/CD pipeline is crucial to protect customers and ensure high performance.  
  4. Choosing the right automation framework and tools requires careful consideration of a company’s capabilities, practices and tech landscape.  

Find out how specialized security testing, enhanced by shift-left, can keep your company and your customers safer from cyber attacks. Talk to our experts now.   

quality engineering free assessment