How to implement Shift Left in my team
The Shift Left approach has almost no secret for you. After our first article Understanding the software development best practices followed by a quick introduction of the need for tools to shift left in our second article we wanted to hand over one more tool set to you. You are ready to shift but taking the team with you is a challenge? Don’t worry, here are some tips and some piece of information to get started and spark a conversation that leads the way to a new software development lifecycle.
How about a few key figures to support your arguments?
It’s your turn to spark a conversation about shift-left in your team.
• 72% of firms acknowledge that software testing is key to successful continuous delivery but only 53% have shifted all types of testing to earlier in the developer lifecycle.
• Forrester surveyed advanced Agile & DevOps firms and identified that only 30% monitor unit test pass/fail ratio and 28% monitor code coverage (but 58% of them have some kind of unit testing automation).
>>> 📈 Shifting left means creating a competitive advantage and being ahead of other companies.
• Out of those companies, 15% think their test suites give them a good indication of business risk, but 53% think that high quality is determining the success of a customer facing software releases.
>>> 🗯 End users are not loyal to bug-filled software and not persistent through poor user experience. But too few companies are making what’s needed to avoid this!
• 63% consider the number of unit tests prioritised by risk as one of their top desired metrics but only 15% of them can actually track that metric today.
>>> 🦄 Ponicode enables you to exactly do that with its risk ranking and code coverage monitoring capabilities.
Shift Left is also a matter of software security
It would be unfathomable to discuss the direct impact of code quality, bugs and UX issues on the company turnover and reputation without engaging in code security. With the acceleration of digitalisation across all industries, we have discovered how vulnerable our companies are to cyber attacks and data leaks.Yet, a survey administered on developers, application security experts and devops in the corporate environment uncovered that a staggering 89%* of them find that the strong disconnect between developers and cybersecurity teams is at the source of significant decreases in productivity. In the past few years, in the wake of the development of the shift left approach, code security experts started to assess how early code security vulnerabilities detection could better control a company's risk and cost management.
As early as 2010, IBM’s System Science Institute shared figures that were already underlining the parallel between the code quality approach to shifting left: “the security defects identified in the testing phase are 15 times more expensive than the design phase”**. The industry is now becoming more at ease with the term shift left security and the idea that moving security control to the earliest possible phase of the development life cycle has become the new best practice to follow.
Get familiar with Shift Left Security Tools
• Static Application Security Testing (SAST) - automatically scan your codebase to detect known vulnerabilities. This test does not require code to be compiled and it can be applied to code as it is being written
• Dynamic Application Security Testing (DAST) - detects vulnerabilities in running applications. It can help you find common security issues such as SQL injections or runtime errors.
• Interactive Application Security Testing (IAST)— a mix of DAST and SAST. It deploys in the runtime environment, observes attacks and identifies vulnerabilities.
• Runtime Application Self Protection (RASP)—It scans when the application starts running and tries to protect against malicious actors by analysing the behaviour of the application.
• Static scanning based tools
• Container scans
• Compliance scans
• Secret detection
• Dependency scans
It’s time to promote Shift Left Security!
According to a survey from Gitlab, 70% of programmers are expected to write secure code, but only 25% think their organisation’s security practices are “good.”*
Some good practices to get started with shift left implementation.
⭕️ Identify your company software development lifecycle — Each company has their own specificities, make sure you and all stakeholders of software development at your company have a clear and common vision of this lifecycle. Knowing where you come from will make it easier to know where you are going.
⭕️ Define a shift-left strategy — Build a master document with the key elements of your strategy. One reference to define the why, what, who, how, when and where of your shift left (& shift left security) approach. This will make it easier to refocus in times of doubt and to onboard new stakeholders to your project.
⭕️ Automate where you can — Agile pipelines and continuous development can only be supported by an increasing support through automation as well as code quality & code security focused tools. Getting help with these tasks will free up developer time and enable them to refocus on high value steps and incremental innovation.
⭕️ Create systematic checkpoints to find code defects — Checkpoints at all stages to find defects and vulnerabilities is a key element to shifting left. Many tools out there can support your effort to do so. The famous saying “test early and test often” should be your software bumper sticker. The goal is to build processes supported by automation where developers can check code security and quality as they code, get feedback as fast as possible and have tools to remediate vulnerable code efficiently. This will lower the productivity-killer context switching implied by developing new features and fixing bugs and vulnerabilities in code and in production at the same time.
⭕️ Shifting left is a matter of company culture — Your DevOps team can be the ambassador of security and quality awareness for your developers. Cooperation should be the source of a smooth transition from your existing lifecycle to the new shift left approach.
⭕️ Work with your team to invest in proper tooling — While the software engineering team can feel reluctant to change and uncomfortable getting outside of their comfort zone, they still can still be great advisors when picking the right tools. Your priority should be to enable your developers to create secure quality code without using more time or resources. Shifting left without overbearing your developers is important to create new habits and maintain the new code quality and code security standards brought to them by the shift left approach.
⭕️ Empower software engineers with access to knowledge — Shifting left is an ever evolving process, while new tools and new processes are created every day, it is critical to provide your team with continuous training in high quality and secure coding methods.
⭕️ Beware of Alert Fatigue! With the increasing amount of bug detection applications and code quality tools out there you are at risk of an overbearing amount of notifications and alerts. This could kill the software engineering team's productivity and result in missing out on the truly important alerts.
As you are shifting left and tooling yourself accordingly, always make sure to optimise and create accountability when it comes to alert management. Reduce false positives overtime, automate responses to reduce the load on human intervention and make sure that the most important alerts always reach a team member who is accountable for escalating or dismissing.
Companies might have been led to think that they are doing their best for quality assurance because they have an entire team dedicated to this purpose. However, software architects and software engineers haven’t been kept in the loop when it comes to software quality and security matters, resulting in the situation we face now.
Shifting left is key to being able to create industrial-grade software at scale and helping your business enter the industry 4.0. Every step of your software development lifecycle is an opportunity to reduce quality and security defects and to get you closer to the zero defect level of quality that the software industry has been waiting for .
We hope that you are now feeling clear about Shift Left and equipped to lead the change in your team. Those few words are a summary of our team experience as well as research we have done over the past few years but there is much more available out there.
Here are three pieces of content to keep the conversation going
And of course you can get started with Ponicode to reduce bugs and remove testing bottle necks altogether.