Author Attribution: This post was written by a guest blogger: Mark Miller, Founder and Curator of Trusted Software Alliance.
In a “50-in-50” interview on the Trusted Software Alliance site, Gary McGraw talked about the concept of ‘moving left’, or ‘shifting left’ when it comes to application security in the software life cycle. Traditional development leaves security testing to the end of the development phase where, if security problems are exposed as part of the testing process, decisions must be made on how best to handle the discoveries. Too often, time pressures and financial considerations make it impossible to properly handle the vulnerabilities before pushing to production. The onus is pushed to the Ops team to handle as best they can.
A typical scenario is shown in the first diagram. The development phase assumes an Agile cycle of 14 days. Around the 12th day of the cycle, the Dev team implements security testing. If problems are found during the test phase, there is a good possibility the app will still be moved into production, with the assumption that the Ops team will handle the problems as they are reported during usage.
The development phase assumes an Agile cycle of 14 days.
What happens if security testing happens earlier in the cycle, as shown in the next diagram? This illustrates the concept of ‘moving left’, pushing the security tests closer to the beginning of the development process. Not only does it give more time to handle the vulnerabilities, it saves money in the long run because of lower maintenance and the costs of fixing problems within the production environment. The final Dev security tests are still run during the test phase, but the initial test is pushed to the left, 5 days earlier.
Security testing happening earlier in an agile development cycle.
Taking the concept to its logical conclusion, what happens if testing is included at the instant a component is consumed within the Dev environment? Most would agree that trusted software begins with trusted components, but where is the best place within the application life cycle to test those components? The premise of ‘moving left’ is to identify and test the components early and test the application often.
What if testing is included at the instant a component is consumed within the Dev environment?
The most recent survey by Sonatype confirms that 80% of most major Java applications are built from components. There can be literally thousands of open source components within these applications. Once a component has been placed into production, it is virtually impossible to track and maintain without automated, consistent testing.
‘Moving left’ begins an automated security checking process as early in the life cycle as possible, testing the component for governance issues, compliance issues, licensing issues as well as software vulnerabilities. With development cycles getting shorter and shorter and the possibility of pushing to production multiple times per day, testing at the beginning of that cycle is not only smart it is critical for managing and maintaining secure systems.
