In software development, issues become more time-consuming and more expensive the longer it takes to find and fix them. Find defects too late in the development cycle, and you could risk a delayed launch. If vulnerabilities remain after the product has already gone to market, hackers may exploit them, which can lead to angry customers and stressed employees. The best way to avoid these issues is to make sure they never happen.
“Shift Left” may be a tech buzzword, but in practice, it can make your organization more efficient. In software development, it means considering application security and testing for vulnerabilities earlier in the development cycle. A company that successfully shifts left can reduce costs, increase efficiency, and protect its reputation.
The Difference Between an SDLC and a Secure SDLC
Regardless of which practice a company uses as it releases new software (for example, Agile, Waterfall, Scrum, and so on), its Software Development Lifecycle (SDLC) typically consists of the following six phases:
- Planning: The senior members of the team decide how to approach the project.
- Defining: The team defines what it needs to finish the product through an SRS (Software Requirement Specification) document. The customer or market analysts will look over and, if satisfied, approve it.
- Designing: Using the SRS, the team develops a DDS (Design Document Specification). A DDS maps out the architecture of the product and is reviewed by all stakeholders.
- Building: The developers build the product.
- Testing: The developers test for, find, and fix product defects.
- Deployment and Maintenance: The company releases the product to market, possibly in stages. They then maintain the product as needed.
In this model, some companies only consider application security during the Testing phase. At that point, the software is fully developed and the SDLC is almost over. This can result in undetected vulnerabilities, improper handling of customer data, and data breaches due to cybersecurity attacks.
But a Secure SDLC (SecSDLC) integrates application security into every stage of the existing SDLC:
- Governance accompanies Planning: The team develops a security plan. Developers are trained on securing code.
- Design accompanies Defining and Designing: The team identifies potential risks and designs security features to prevent hackers from taking advantage of them. For example, let’s say a hacker tries to brute-force a password by entering several common letter and number combinations. The team could design a lockout feature that blocks someone from accessing an account if they enter an incorrect password five times in a row.
- Implementation accompanies Building: Implementation ensures developers build software in a standardized, repeatable way. During this phase, the team will also specify how bugs are collected, recorded, and analyzed.
- Verification accompanies Testing: This stage defines how a company performs security testing. Teams will typically use a combination of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools.
- Operations accompanies Deployment and Maintenance: This stage defines how an organization responds to security threats or breaches and how it will continue to maintain app security after the product hits the market.
Implementing a DevSecOps
To switch from an SDLC to a Secure SDLC, you first have to create a culture that embraces security. Because the Shift Left concept isn’t new, some employees may have heard of it or even worked with one before. To get your team on board, you can follow some key best practices:
1. Appoint a Security Champion to act as a liaison between the security and the dev team.
2. Offer training opportunities for employees.
3. Discuss how a Secure SDLC is more efficient in the long-run.
4. Incentivize training opportunities.
5. Choose the right testing tools. Though automated tools aren’t perfect and will never replace people, the right ones can be a big help and save time.
Once the SecSDLC is in place, you can also highlight and reward successes, such as standout security features or bugs the team finds and fixes. Eventually, the ROI will manifest in time and money saved, confident employees, happy customers, and—most importantly—more secure products.