The old saying, an ounce of prevention is worth a pound of cure, certainly applies to software development. To leverage this benefit, the software industry has embraced the idea of “shifting left”. This is in reference to the linear (aka waterfall) method of software development.
Even though linear software development has been replaced with the more circular CI/CD approach, the idea of shifting left still makes sense. Although maybe now it should be referred to as “shifting counterclockwise”.
According to 3Pillar Global, “Shift left isn’t exactly new. The concept dates back to the 1950s and was designed for a much different technological landscape than what we’re working with in the 2020s.” Catching problems early has always made sense. But back then, shift left had a very specific meaning.
What Shifting Left Was
From the beginning, shifting left really meant shifting testing left. In other words, start testing your software sooner in the development process. From Cloud Native Wiki, “Shift left testing makes it possible to identify and fix defects much earlier in the software development lifecycle. This streamlines the development cycle, dramatically improves quality, and enables faster progression to later stages for security analysis and deployment.”
If you search the term “shift left”, mostly what comes back are articles about shift left testing. That’s because finding problems earlier in the software development cycle is a good idea, and the first way developers thought to do that was through testing.
There’s one drawback to shift left software testing though when it comes to eliminating security threats. Shift left testing may find threats, but it doesn’t mitigate them. And in a world that has morphed into DevOps, there’s a better way to shift left.
What Shifting Left Has Become
What’s better than shifting testing left? Shifting security left. Again from Cloud Native Wiki, “To shift security left means to implement security measures during the entire development lifecycle, rather than at the end of the cycle. The goal of shifting security left is to design software with security best practices built-in, and to detect and fix potential security issues and vulnerabilities as early in the development process as possible, making it easier, faster, and more affordable to address security issues.”
Not just finding threats, but mitigating them too. To be sure, shifting testing left has value, but shifting security left has even more value.
The Value of Shift Left Security
According to a study by IBM reported on in the DevOps Zone, compared to the design phase, fixing a software defect in the maintenance phase costs 100x more. But fixing it in the testing phase still costs 15x more and even in the implementation phase, it costs 6.5x more.
The bottom line? When it comes to finding security threats in software, ideally you want to shift all the way left to the design phase. And one of the best ways to do that is with threat modeling.
Threat modeling helps you model, and therefore find, your software’s security vulnerabilities in the design phase. And that’s true whether you’re doing more traditional software development or true DevOps.
Of course, the discipline of threat modeling helps with finding threats early in the software lifecycle, but not necessarily mitigating them. And that’s where ThreatModeler comes in. ThreatModeler is an automated threat modeling platform that helps developers visualize threats and makes recommendations for their mitigation during the design phase. No security expertise required.
If you’d like to learn about the fastest and easiest way to find and mitigate security threats early in the software development lifecycle, click here to request a free demo.