Security by design and security testing in software development: the solutions

The ability of cyber security groups to get involved in the company’s innovative projects and the success of giving birth to new digital solutions with requirements for cyber security within it is an indicator of organizational maturity. An approach based on “design security“Able to increase the robustness of the solutions while ensuring better efficiency thanks to the reduction of costly” rework “before rollout (release control).

The concept of “shift left”

The ability to instantly include security in sequential software development processes (which include definition of requirements, analysis, design, software code creation, functionality testing, and production releases in sequence), has led the experts in “software development“To invent the phrase ‘shift left’.

25 May 2022 – 14.30

Cybersecurity 360Summit: new strategies, new threats and new defenses!

The “shift to the left” is also increasingly used for the test world (including security systems), which were previously only performed at the end of the process to create application software code.

Application issues that are identified late in the software development process cause costly redesigns and delays (increase in Time To Market). The idea of ​​”shift left” used for testing is to involve teams of testers in the early stages of the process and to perform testing throughout the software development cycle. The following image shows graphically this concept.

Shifting to the left is about doing things earlier in the development cycle.  Source: van der Cruijsen 2017.

There are four ways to move tests to the beginning of the life cycle; these states of development are called “shift to the left” traditional, incremental tests, Agile / DevOps and “model based”.

In the article, I focus only on what I personally experienced in the company, therefore Shift Left Testing Traditional and Shift Left Agile / DevOps.

Traditional left shift test

The traditional Shift Left Testing moves the test activity further down and to the left in the V model (typical of application validation frames), as shown in the next image.

In addition to the classic end-to-end functionality test at the end of the process (eg system test, user interface test), Traditional Shift Left Testing focuses on device and integration testing run directly in the development environment at both static and dynamic code level.

Shift left Tester Agile / DevOps

In recent years, many companies struggling with the digital transformation of their old IT systems or the digitization of their sales processes (think of the omni-channel issue) have taken agile development methods, using an approach to software development involving mixed workgroups of developers and experts in User Experience and Marketing (“”team“and”originates“). Development occurs in incremental cycles and rapid releases (usually every 15 days).

In the specific case of DevOps, software development methods and tools based on “continuous integration” (There is “continuous delivery“(CD). (5, 6)

The Agile and DevOps methods therefore allow for several V (“sprint “) short-lived instead of a single or small number of Vs; the numerous “sprint “ is represented in Figure 3 and represents the most significant difference with respect to Traditional “shift-left” test.

Figure 4: Agile / DevOps Shift left

Shift Left Security

The benefits of “shift left” are not unique to the development cycle testing process (quality assurance), but can also help improve the effectiveness of cybersecurity control on new products and services.

If the application has been checked to identify security issues since the beginning of the development, it is highly unlikely that serious problems will arise in the final phase of the test, with the risk of having to block the implementation of the solution.

A security test performed in the early stages of software development leads to identifying problems that are usually small and cheaper to solve.

Another important benefit of “Shift Left Security” is related to the prior identification of the security standards to be adopted during application development (I am thinking, for example, of OWASP for web applications).

Once developers are informed in advance of the security standards to be adopted, the development team may be more aware of the steps to be taken to ensure compliance with these standards and to incorporate them into their own code.

In case of using DevOps, you can use “continuous integration“(CI) to improve security as well as speed up application development and quality control cycles. That “continuous integrationHelps to easily create and maintain development and test environments (called “application builds”) that are tailored to the production environment. This ability to create ad hoc “application builds” allows you to protect the production environment (avoid any change of the same due to incorrect configurations or unintended consequences of safety tests) and ensures greater freedom and flexibility in performing safety tests on environments coordinated with production.


The digitization of applications and the emergence of new software development methods (Agile / DevOps) to complement traditional (sequential – waterfall) requires “shift to the left” of safety requirements and testing.

The “Shift left” approach is effective in ensuring that safety is taken into account early in the design of the solution and by enabling early detection of errors and cybersecurity issues, making the software development lifecycle faster, more reliable and more secure.

The guide to choosing the best free antivirus for your PC


Leave a Comment