The Book
Explore Membership
S3M2Journey to AppSec Maturity
Resources
Resource LibraryAppSecConPodcastBlogState of AppSec 2023
Events
Upcoming Events
PBC Connect - OWASP Global AppSec
PBC Virtual August 22
RSAC 2024
JTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Black Hat 2024
RSAC 2024
Cyber Future Dialogue 2024
Contact Us
The Book
Membership
S3M2
Journey to AppSec Maturity
Resources
Events
Join Us

Shifting Left and Rethinking Features for Secure, Quality Software

By 
Satish Gannu
,
and
August 7, 2024

In the fast-paced world of technology, the concept of "shifting left" has gained significant traction, particularly in cybersecurity and quality assurance. The term "shift left" refers to the practice of integrating testing and quality measures earlier in the development lifecycle. However, many discussions around this concept often end with the notion of testing early. This is a narrow view of a much broader principle.

To truly embrace the essence of shifting left, we must extend it beyond the security and development teams to the leadership within organizations—the CTO, CIO, and ultimately CEO. This shift in mindset can transform how we approach both cybersecurity and quality.

The Bug Spectrum

A pervasive myth in the industry is that a security bug is distinct from a quality bug. In reality, when a bug is discovered, it is fundamentally a quality issue that becomes a security vulnerability when exploited. 

While we do have dedicated security testing and classify the bugs found as security bugs, many vulnerabilities and attacks stem from quality bugs being exploited. This misconception can lead to a fragmented approach where quality and security are treated as separate entities rather than interrelated aspects of the same problem.

Integrating Cybersecurity into the SDLC

The Software Development Life Cycle (SDLC) is a critical framework that guides the development of software products. For shifting left to be truly effective, cybersecurity must be integrated into every stage of the SDLC. Every individual involved in product development should receive thorough training on cybersecurity principles and practices.

This training should not be a one-size-fits-all approach but should be tailored to different stakeholders, from developers to executives. Moreover, training is only effective if it can be applied practically on a daily basis. In large organizations with vast and complex codebases, this daily application is a significant challenge, but it must be overcome to ensure robust security practices.

Cultivating a Security-Conscious Culture

For too long, product developers have operated under a mentality where if a product doesn’t work, a reboot or hotfix is the immediate solution. There’s an underlying belief that these products are not being sent to Mars, so such quick fixes are acceptable.

However, this mindset must change. It is well-known, albeit rarely admitted, that the more code we write, the more bugs we create, potentially leading to more security vulnerabilities. Instead of rushing to deploy new features, we must prioritize building resilient, secure products from the outset. This requires a cultural shift where quality and security are seen as shared responsibilities rather than isolated tasks.

Rethinking Feature Velocity

This brings us to a crucial question: do end customers really need all these new features? Consider, for example, any phone or browser we use today. With every release, new features are introduced, but on average, users are unaware of or do not utilize many of these new features.

Personally, I use my smartphone and browser the same way I did when they first came out years ago. Many features deliver little value, failing to generate a return on investment. 

Pendo's research revealed that an astonishing 80% of software features are rarely or never used, and publicly traded cloud software companies have collectively invested up to $29.5 billion in developing these underutilized features.

The implication here is profound: instead of focusing on feature velocity, we should prioritize security and quality. The resources spent on developing underutilized features could be better invested in ensuring that the core functionalities of a product are secure and reliable.

The Imperative of Cybersecurity

All these points converge on one critical realization: focusing on cybersecurity requires commitment and time from everyone in the organization. Even if we are not shipping our product to Mars, we need to treat its security with similar seriousness.

Contract terms typically protect technology companies from liability, allowing them to launch products with known issues and subsequently issue patches to fix these vulnerabilities. While this approach can support rapid innovation and deployment, it also shifts the cybersecurity burden onto end-users, who must contend with problematic updates, potential disruptions, and vulnerabilities in the meantime. Ultimately, customers bear the cost not only financially but also by facing the risks and problems associated with potential security issues.

A recent IBM report found the average cost of a data breach to be a staggering $4.88M, a 10% increase over last year and the highest total ever. Moreover, according to cybersecurity statistics, identifying a security breach takes more than 206 days, giving attackers ample time to exploit vulnerabilities and cause significant damage.

Currently, the cost of cybersecurity failures is borne primarily by customers, rather than the product builders. This misalignment of responsibility highlights the need to ensure that products are secure and reliable.

It's Time to Act

To effectively prioritize cybersecurity, CEOs, GMs, CPOs, and CTOs must all take a hard look at feature velocity and consider reducing it. This reduction will provide the necessary time to focus on security, which undeniably requires more attention as the complexity of our products increases with each additional feature and line of code.

It is time for a fundamental shift in our approach, driven from the top, to ensure that cybersecurity is ingrained in the DNA of product development. Shifting left should not stop at early testing but should continue all the way to the CEO’s.

In conclusion, by broadening our understanding of shifting left and rethinking feature velocity, we can create products that are not only innovative but also secure and reliable. 

Satish Gannu
LinkedIn Logo
Chief Product and Technology Officer
LinkedIn Logo
LinkedIn Logo
Uniting security professionals on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
S3M2
Podcast
Blogs
Membership
Explore Membership
Resources
Contact Us
Powered By ArmorCode Inc.
Copyright © 2024. All rights reserved.
|
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.