Since 2001, when Larry Smith coined the term shift left, application development has seen a gradual change in the testing approach. In line with agile practices, quality assurance in most businesses now follows the practice of testing early and often. Unfortunately, this trend has not yet fully caught on for security practices.
Enterprises that develop their own web applications using agile methods often still rely on a dedicated security team. This team often starts working on the application only when the release is out on a staging server or later. However, security teams are often small and/or undermanned. This leads to two major problems:
- The security team becomes a bottleneck. Security testing delays application release due to the huge queue of tasks that security analysts have to perform.
- If security problems are found, the release has to go back to the development stage. Problems have to be fixed by people who did not introduce them, and even if the same engineer is responsible for remediation, they have to refresh their memory of the code that they have been working with.
To eliminate these problems, modern enterprises switch from DevOps to DevSecOps or, even better, SecDevOps. However, security testing early in the SDLC is not possible unless you have tools that can support it.
Our whitepaper called How to Secure Thousands of Websites with a Small Security Team discusses this problem and shows you how modern web vulnerability management software can help you follow the shift left principle in security testing.