Shifting Left

Published Sep 22, 2017
by Pieter Danhieux
cASE sTUDY

Shifting Left

Published Sep 22, 2017
by Pieter Danhieux
View Resource
View Resource
tl;dr?

tl;dr?

If a developer writes a cross-site scripting error as they're coding in JavaScript, and they're able to detect that within minutes of creating that flaw, it will likely only require minutes or seconds to fix.

Whereas if that flaw is discovered two weeks later by a manual tester, that's going to be then entered into a defect tracking system. It's going to be triaged. It's going to be put into someone's bug queue.

With the delay in identification, it will have to be researched in its original context and will slow down development. Now, you're potentially talking hours of time to fix the same flaw. Maybe a scale of 10 or 100 times more time is taken

I couldn't agree with Chris Wysopal (CTO, Veracode) more in his recent podcast with O'Reilly Security Podcast where he explains why shifting security to the left (to developers at the start of the development life cycle) is key in an agile environment to keep up the pace and speed.

Security should be made easy for developers by using IDE plug-ins, scanners and educating them to have the basic security skills (hygiene). Organisations should not be solely relying on security experts or a centralised security team who validates all changes.

Our typical security modus operandi is broken (call in the expert!) and we need to integrate security into development teams to ensure quality is maintained whilst staying agile.

https://www.oreilly.com/ideas/chris-wysopal-on-a-shared-responsibility-model-for-developers-and-defenders

View Resource
View Resource

Author

Pieter Danhieux

Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.

Want more?

Dive into onto our latest secure coding insights on the blog.

Our extensive resource library aims to empower the human approach to secure coding upskilling.

View Blog
Want more?

Get the latest research on developer-driven security

Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.

Resource Hub

Shifting Left

Published Mar 07, 2023
By Pieter Danhieux

If a developer writes a cross-site scripting error as they're coding in JavaScript, and they're able to detect that within minutes of creating that flaw, it will likely only require minutes or seconds to fix.

Whereas if that flaw is discovered two weeks later by a manual tester, that's going to be then entered into a defect tracking system. It's going to be triaged. It's going to be put into someone's bug queue.

With the delay in identification, it will have to be researched in its original context and will slow down development. Now, you're potentially talking hours of time to fix the same flaw. Maybe a scale of 10 or 100 times more time is taken

I couldn't agree with Chris Wysopal (CTO, Veracode) more in his recent podcast with O'Reilly Security Podcast where he explains why shifting security to the left (to developers at the start of the development life cycle) is key in an agile environment to keep up the pace and speed.

Security should be made easy for developers by using IDE plug-ins, scanners and educating them to have the basic security skills (hygiene). Organisations should not be solely relying on security experts or a centralised security team who validates all changes.

Our typical security modus operandi is broken (call in the expert!) and we need to integrate security into development teams to ensure quality is maintained whilst staying agile.

https://www.oreilly.com/ideas/chris-wysopal-on-a-shared-responsibility-model-for-developers-and-defenders

Fill out the form to access the full report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.