COVID-19 has accelerated the need for secure, high-quality software. As an example, Microsoft announced the availability of new threat intelligence sharing feeds due to the surge in the number of cyber and phishing attacks targeting stay-at-home workers. These types of services along with secure practices embedded throughout the Software Development Lifecycle (SDLC) have value for healthcare companies that govern and protect large volumes of sensitive HIPAA compliant personal health information. What can every healthcare company do to improve the security and quality of their deployed code?
Traditional Waterfall software development
Traditional software development lifecycles like waterfall tend to flow linearly from the left to right: Idea, Requirements, Design, Coding, Code-Freeze, Testing, and finally deploy to Production. A typical cycle would take 6-months, maybe 3 months. The term shift-left refers to moving the testing for quality and security as left as possible in this lifecycle. Studies have shown that 56% of software defects emerge during the requirements phase, 27% in the design phase, and only 7% in the development phase. Furthermore, the cost of fixing a defect in the design phase is about a factor of 100x less expensive than in production. Hence, a shift to the left for quality and security testing, closer to the idea generation phase, makes a lot of sense.
Agile-Scrum software development with DevOps practices
Modern Agile-Scrum practices coupled with DevOps discipline promote value to customers more frequently in a continuous manner. A great visual (shown below) from continuous testing in DevOps discussed in a blog article shift left, shift right – what are we shifting, and why? explains the required evolution in culture! In this model quality and security testing and analysis shift-left and shift-right to every phase of the lifecycle.
- Quality Assurance (QA) testing, as shown in the figure, needs to occur at every stage and is NOT relegated to traditional QA Analysts. In fact, the scrum team is entirely responsible for quality testing and quality by design at all stages.
- Similarly, security testing and analysis need to occur at every stage of the lifecycle: Security during design, static analysis embedded in code development environments, and Scan & Penetration Testing in production. The Open Web Application Security Project (OWASP) is an open community initiative dedicated to improving software security has some great guidelines in this regard.
Illustration from “Continuous testing in DevOps”, Dan Ashby.
At Matrixcare, we follow Agile-Scrum and DevOps best practices for software development. We strive to continuously improve quality and security for our healthcare products by promoting a culture of self-organizing empowered teams with security and testing embedded in every stage of the SDLC!
Read more about our security program.
Disclaimer: we are not endorsing this information for the accuracy or validity of the content. We encourage you as appropriate, to verify clinical and regulatory content with your own trusted sources.