/w=3840,quality=80,fit=scale-down)
You are in charge of releasing a product that will facilitate the exchange of life saving items directly from the people who produce them. Your product is going to change the world as we know it, and you are nearing the end of the process. You go to use your technology one more time before you show it to your shareholders and it starts to glitch, you keep pressing save and continue but there is no redirection. A control flow error, shit. The security assessment found that you are going to have to pay an additional $90,000 to fix the issues and delay releasing the product for 6 weeks.
So now you have paid:
(1) $20,000 for a security assessment
(2) $90,000 to fix
(3) Add 6 weeks to your timeline which means you lose out on $125,000 in revenue.
Now you have to spend an additional $235,000.
As the founder, do you accept the risk and release the technology to please your shareholders (or even just stay in business) OR would you pay the thousands of dollars to fix and release it safely.
Let us shift left in time and determine how Shifting Left in the development lifecycle could have prevented this costly situation from ever occuring.
Shifting Left vs Shifting Right
Shift left is a methodology in cybersecurity that says to move security earlier in the software development lifecycle. By testing a code early and often, the quality of the code increases as the chance of bugs decreases. This is an attempt to avoid finding bugs later in the development process that will cost thousands to hundreds of thousands to go back in and repair.
Research from Ponemon Institute, in 2017, found that if vulnerabilities get detected in the early development process, they may cost around $80 on an average. But the same vulnerabilities may cost around $7,600 to fix if detected after they have moved into production. (1)
We at Securestate want developers to avoid practices where testing is only carried out at the end of the software development life cycle.
Shifting right is the process of initiating testing during post production. This can help a company by:
- Allowing to ensure performance and usability
- Validate a working hypothesis through testing product
- Ability to collaborate with target audience to determine what works/doesn’t
Why Would Companies Want to Change?
To make it simple, security is more expensive to fix the later in the development lifecycle it is found.
If you find a bug in the design phase, the cost would be minimal, perhaps as low as $50, which goes toward the security engineer reporting the bug. HOWEVER if that same bug was already embedded into the code you would have to:
(1) pay for the pentesting to find it with is thousands of dollars
(2) pay a developer to fix it, which could cost a week or more of remediation efforts
(3) risk it being already being exploited
The findings from a penetration testing at the end of the development lifecycle, competes with business priorities:
- Making Revenue
- Acquiring Clients
- Expanding Product
AND 9 out of 10 times is deprioritized in favor of the bottom line.
Have Companies Just Started Shifting Left?
Programmers in the 1950’s knew that it was efficient to start testing earlier in the process, so they did just that. There were no such professions for dedicated testers at that time. The same people who wrote the code were the same that questioned if there were any flaws, and this process happened throughout the lifecycle of the project.
Benefits of Making The Change
What exactly does the company have to benefit from making the switch?
- Find bugs earlier in development cycle
- Automation
- Reduced cost of fixing the bug by finding them early
- Develop a higher quality product because of less of a need for patches
- Reduces chance of product not being able to meet shareholder deadline
- Higher customer satisfaction to a safer product
How To Get Started
Shifting left is no easy task, but with SecureState’s Product Security Software, we can help you shift at your pace, under an affordable subscription model with a developer friendly platform.
To learn more, lets talk.