There’s nothing quite like pushing security testing left — as in, blindly shifting the burden onto the laps of developers, regardless of whether development is the best/most cost effective/most appropriate time to test in the Software Development Life Cycle (SDLC) — because of a made-up statistic plucked from Application Security (AppSec) Never Never Land.
Earlier this month, Contrast Security co-founder and CTO Jeff Williams, writing for Forbes Technology Council, recounted the fairy tale statistic that’s been floating around for years: namely, the notion that remediating vulnerabilities earlier in the Software Development Life Cycle (SDLC) is 100 times less expensive than bugs fixed in production.
Forbes Technology Council is an invitation-only community for CIOs, CTOs and technology executives. In his article, Williams suggests that the “100 times less expensive” statistic “might not even exist.”
“It was included in a chart figure that was used for internal training without any available supporting data before eventually being quoted in a book,” he writes. “Everybody then started citing the book.”
If Williams’ suspicion is right, then just like that, the shift-left dogma was written onto tablets of stone to be handed down from the AppSec Mount Sinai, for better or worse.
And mind you, there are both better and worse that can come from shift left, and the “worse” has been eliciting mounting pushback. There are multiple issues with unquestioning adherence to the shift-left rule, Williams says: Developers don’t necessarily have the tools and expertise needed to run security testing, for one thing. Another issue to consider: Does shift left actually result in fewer vulnerabilities?
“If it does, how far left should we shift?” Williams ponders. “Should we shift into the automated build pipeline where quality tests are run, or should we shift even further left into the integrated development environment (IDE)?” Williams ponders. “Can we shift too far?”
At any rate, Williams explains that, although experts generally agree there are benefits to shifting left, later studies found that the cost to fix bugs is about the same no matter when they are fixed.
There’s a better approach to AppSec, he says.
Think before you shove left: Shift smart instead
Check out the Forbes Technology Council article for Williams’ nuanced critique of unquestioning shift-left adherence and to get his take on what makes a ton more sense: namely, shifting smart.
“Rather than blindly shifting left or blindly shifting everywhere, organizations should shift smart. One key factor is to perform security testing only when you have enough ‘context’ — the details of how an application or [application programming interface, or API] actually functions — to accurately identify real, exploitable vulnerabilities.”
Stay tuned for Williams’ next article for the community, where he’ll outline five shift-smart principles that can help teams stay on top of every kind of vulnerability.