Back in the infancy of software creation, certainly up until the mid-90s when we still used more traditional software development practices, most testing was conducted at the end of the production cycle (on a graph, this would be to the right on the development timeline). Shift-left takes this timeline graph and promotes testing earlier on in the development process (to the left).
Early testing in the creation process is known as “shifting left” and is considered an Agile practice, promoting sooner and more rapid testing in the software development lifecycle. It’s generally accepted that this model offers better, earlier awareness of potential development issues and bugs, and the adage of “Fail Fast, Fail Often” – a more iterative and continuous integration/continuous delivery (CI/CO) approach – is a core principle of Agile development philosophy.
As applications move through the stages of origination, design, development, programming, and testing, security was invariably a final step, prior to deployment. Security was often applied outside of the application prior to release to end-users.
Times and priorities, thankfully, have changed. With the likes of the recent Log4j vulnerability and other industry issues such as injection, broken authentication, sensitive data exposure, broken access control, or even security misconfiguration, pressure-testing applications to expose security risks has never been more important.
Shift-Left Testing and Cybersecurity
Tighter integration of software security into the software development process leads to clearer dev-ops/cybersecurity team relationships and an improved security posture, versus testing and applying a cybersecurity solution in the final stages of app delivery. Very often this approach is substantially quicker, preventing a late-stage bottleneck that could jeopardize projects delivery schedules.
Testing early, or “shift-left”, and more frequently can reduce costs, shorten time to market, and prevent unexpected errors. It does, however, require security teams to have scheduled access to, and visibility of, applications from inception to completion. For a variety of reasons, this is not always practical.
Automating Shift-Left Testing
In an Agile work environment, security teams are being asked to move faster in order to reduce the time to market while still guaranteeing the security of each release. A solid strategy is needed for the mitigation of zero-day vulnerabilities in applications containing 3rd party, open-source code, as an integral part of the application development process. At the same time, security teams are often under increasing pressure to reduce testing costs.
Solutions exist to help busy cybersecurity teams in the pursuit of better security practices and in more frequent product testing, offering out-of-the-box shift-left thinking at an affordable price.
A comprehensive Web Application Firewall and API Protection (WAAP) security stack, as part of your cybersecurity toolkit, can secure an application from the edge to the database. This means that the traffic you receive is the traffic you want and that customer transactions and sensitive data are appropriately protected, further reducing risks created by the use of third-party code.
While “Fail Fast, Fail Often” is a good mantra for cybersecurity teams in application development it’s important to know how to “Fail Properly” and to be able to see how you can succeed. As such, clear data reports and actionable alerts are critical to immediate security and to future development. Up-to-the-minute knowledge of possible issues and vulnerabilities isn’t always possible, but this is where security software – backed by a team of experts and crowd-sourced data – can be invaluable.
Runtime Protection (RASP) allows organizations to mitigate any attempts to compromise applications and data by baking security directly into the application runtime environment, adding critical security into the running application wherever it lives on your server. Applications are protected as they run in real-time by the analysis of both application behavior and context. Consequently, through superior visibility into the data flow, runtime protection can find, block, and alleviate attacks immediately. This protects an application from within, from data theft, malicious inputs, and unexpected behaviors – without the need for ongoing security team monitoring.
Making the Shift
Shift-left testing operates under the philosophy that prevention is better than cure, and this may be argument enough to secure investment from your c-suite.
As part of any unified test strategy, testing more frequently and seeing real-value alerts – instead of a flood of possibly irrelevant messaging – means development and cybersecurity teams know the strength of their security posture and, if necessary, can focus their efforts accordingly.
If you would like to know more about Web Application Firewall (WAF), API Protection (WAAP), or Runtime Protection (RASP) we’re always happy to offer any help and advice you might need.
Try Imperva for Free
Protect your business for 30 days on Imperva.