Shift smart instead of following shift-left fairy tales

There’s nothing quite like pushing security testing left — as in, blindly shifting the burden onto the laps of developers, regardless of whether development is the best/most cost effective/most appropriate time to test in the Software Development Life Cycle (SDLC) — because of a made-up statistic plucked from Application Security (AppSec) Never Never Land. 

Earlier this month, Contrast Security co-founder and CTO Jeff Williams, writing for Forbes Technology Council, recounted the fairy tale statistic that’s been floating around for years: namely, the notion that remediating vulnerabilities earlier in the Software Development Life Cycle (SDLC) is 100 times less expensive than bugs fixed in production. 

Forbes Technology Council is an invitation-only community for CIOs, CTOs and technology executives. In his article, Williams suggests that the “100 times less expensive” statistic “might not even exist.” 

“It was included in a chart figure that was used for internal training without any available supporting data before eventually being quoted in a book,” he writes. “Everybody then started citing the book.”

If Williams’ suspicion is right, then just like that, the shift-left dogma was written onto tablets of stone to be handed down from the AppSec Mount Sinai, for better or worse. 

And mind you, there are both better and worse that can come from shift left, and the “worse” has been eliciting mounting pushback. There are multiple issues with unquestioning adherence to the shift-left rule, Williams says: Developers don’t necessarily have the tools and expertise needed to run security testing, for one thing. Another issue to consider: Does shift left actually result in fewer vulnerabilities? 

“If it does, how far left should we shift?” Williams ponders. “Should we shift into the automated build pipeline where quality tests are run, or should we shift even further left into the integrated development environment (IDE)?” Williams ponders. “Can we shift too far?”

At any rate, Williams explains that, although experts generally agree there are benefits to shifting left, later studies found that the cost to fix bugs is about the same no matter when they are fixed. 

There’s a better approach to AppSec, he says. 

Think before you shove left: Shift smart instead

Want to know what kind of sludge-storm unleashes when you shift left at the wrong time, at the wrong place in the development life cycle, and/or without getting communications ironed out? To hear two Application Security (AppSec) gurus dish on the subject, check out this Code Patrol podcast, where Williams dives into the details with Chris Hughes, Chief Information Security Officer and Co-Founder of Aquia, a Service-Disabled, Veteran-Owned Small Business specializing in cloud and cybersecurity professional services. Shift smart isn’t about shoving a Sec tool into a DevOps pipeline, they stress. Rather, it’s about transforming the nitty-gritty work of security, which is still composed of big, monolithic tasks — such as pen testing — that are simply overwhelming. 

You can check out the Forbes Technology Council article for Williams’ nuanced critique of unquestioning shift-left adherence and to get his take on what makes a ton more sense: namely, shifting smart. 

“Rather than blindly shifting left or blindly shifting everywhere, organizations should shift smart,” he writes. “One key factor is to perform security testing only when you have enough ‘context’ — the details of how an application or [application programming interface, or API] actually functions — to accurately identify real, exploitable vulnerabilities.”

If you’re nodding your head and saying “OK, I got it, where do I start?” check out the second installment of Williams’ Shift-smart series on Forbes Technology Council, where he outlines five shift-smart principles that can help teams stay on top of every kind of vulnerability. Namely: 

1. Harden your software stack.
2. Test what matters when it matters!
3. Test with the best.
4. “Notify left.”
5. Optimize for learning.

Read more:

• Application Security (Part 1): 'Shifting Left' Or Shifting Smart?
• Application Security (Part 2): Five Principles For ‘Shifting Smart’
• Considered harmful: Blindly shifting left
• Contrast customer Derek Fisher on how to empower dev & security teams