Shift security left for a gift that keeps on giving the whole year

Why an aggressive Shift Left approach is the best gift of all.

Shifting security left isn’t like the scratchy sweater from your grandmother or a pink bunny suit from your Aunt Clara. It’s one of the good gifts, one of the big ones. Like a puppy or a trip to Disney World, it’s one of those the whole-family, everyone-loves-it gifts. It’s got perks for the security team, the development team, and even the organization as a whole.

Gift for developers

You know what’s not a good gift? When security comes bearing a long list of testing results late in the game. Revisiting months-old code to find and fix flaws is a cumbersome, time-consuming momentum-killer. But quick, easy and early security testing you do yourself within your IDE means you find and fix flaws when it’s easiest, and cheapest, to do so. Then as you learn from this early feedback, secure coding becomes second nature, and your fingers produce clean, secure code the first time around – meaning you deal with less security issues overall. We’ve seen this happen in our own customer base – those who test early and often see a 48 percent better fix rate than those who only conduct security-led testing toward the end of the development process. Our gift to you – try it out yourself for free with the CA Veracode Greenlight Free Trial.

Gift for security

Do you want to spend your time hunting down and harassing developers to fix security issues in their code? What if developers did the bulk of the testing, and you spent more time focused on creating policy, tracking KPIs, and working with developers to create secure code, rather than against them? That’s the reality when security shifts left. You get to focus on more value-added tasks and less on bugging developers. But to make this DevSecOps model work — where developers are testing and security is overseeing – you’ll have to give developers a gift first. Most developers want to code securely, but simply don’t have the know-how. Get your developers some training this holiday season. Again, pulling from our customer data, when developers received eLearning on secure coding,

fix rates improved by 19 percent. Our customers who use remediation coaching to guide their developers in managing flaws found improve fix rates by an impressive 88 percent.

Gift for all

Application-layer breaches are causing significant damage to brands, bottom lines and executive careers. But with the extreme pressure to keep up with the competition and get functioning code out the door quickly, security testing is often conducted half-heartedly or overlooked completely. How do you keep up with the competition, and avoid breaches? That’s right – shift security left. When security testing is embedded seamlessly into developer tools and processes, it doesn’t slow them down, and they won’t feel the need to bypass it. You then create code that’s on time and secure. In this way, security, rather than creating reputation-ending headlines for you, actually becomes a competitive advantage. Now that’s a great gift!


Blog by Gabriel Martinez, product marketing manager for DevOps and Cloud, CA Technologies; and Suzanne Ciccone, senior marketing analyst, CA Veracode

CA Community is the blog manager’s account used to post general updates and news items.


Modern Software Factory Hub

Your source for the tips, tools and insights to power your digital transformation.
Read more >
Hitting the Agile Wall: How to Overcome Transformation FatigueTim Mitra Blends Art and (Computer) Science at TD BankT-Mobile's Agile Challenge: Changing Corporate Culture from Within