Digitalist
A hooded woman with laptop

Manage web security like a pro: Shift-Left strategy

Content management solutions
Website security
Akatsuki Ryu
3.4.2025

​The most public and infamous data security breach in Finland is the Vastaamo data breach. In October 2020, Vastaamo, a Finnish psychotherapy center, suffered a significant cyberattack where hackers accessed and stole sensitive patient records of over 33,000 individuals. Finnish public sector has also faced some significant security breaches all because crucial security updates were not applied in time. Helsinki City breach from last year has been the biggest in Finland ever. These incidents highlight just how vital it is to prioritize security in software development and solutions management. At Digitalist, we’re committed to keeping our projects secure and resilient against cyber threats by using advanced tools and security best practices.

Our Security Specialist Aka briefly explains how web security management is done like a boss.

You already know why security updates matter

Security updates are like the routine maintenance checks for your car—they're essential to keep everything running smoothly. These updates patch vulnerabilities that hackers could exploit, fix bugs discovered post-deployment, and enhance security features. Ignoring these updates can leave systems exposed, potentially leading to data breaches, loss of sensitive information, and serious financial and reputational damage.

​In the past year alonoe Finland has witnessed several significant security breaches affecting both public and private sectors:​

  • Valio Data Breach (December 2024): Unauthorized access to Valio's network exposed personal data of approximately 70,000 people, leading to a police investigation.
  • Nordnet Technical Incident (February 2025): A technical issue caused customers to see incorrect account information, prompting a temporary shutdown of digital services.
  • Sambla Group Data Security Neglect (March 2025): The Finnish Data Protection Authority fined Sambla Group €950,000 for inadequate data security measures that exposed customers' loan applications to third parties.

These incidents underscore the critical importance of timely security updates and robust data protection measures. Let's prioritize safeguarding our projects against cyber threats by implementing advanced tools and adhering to security best practices.

A report from IBM found that the average cost of a data breach in 2023 was $4.45 million. In 2024 that number climbed to 4.88 million dollars. That’s a hefty price to pay for something preventable. In another example, the 2017 Equifax breach, which affected 147 million people, happened because a known vulnerability was left unpatched. This oversight resulted in a massive financial and reputational fallout for the company.

How we manage security like professionals

To safeguard our projects, our approach is to apply a shift-left security strategy in our software development lifecycle. What this means is that we apply security practices to identify and remedy potential issues early and continuously in our development process to stop potential security vulnerabilities before they move forward to production. "Shifting left" means integrating processes like testing earlier in the software development timeline to catch and fix problems promptly, leading to more robust and reliable software.

The benefit of having shift-left security strategy enables us to do the following:

Automation:

Implementing automated processes leads to reduced human errors and fewer production issues. With the ability to conduct multiple tests simultaneously, test coverage is increased, allowing testers to focus on other tasks.

Fast delivery:

Shift Left security streamlines the release process by enabling DevOps and security teams to work in parallel. This results in improved software quality as issues can be identified and resolved earlier in the development cycle.

Our strategy includes using tools such as Platform.sh Observability Suite and Aikido security platform, and also using methods such as threat modeling.

Platform.sh Observability Suite:

The Platform.sh Observability Suite is crucial for our security efforts. It provides real-time monitoring and alerts, helping us manage our systems proactively. This suite lets us track performance metrics, detect anomalies, and quickly respond to potential threats before they escalate.

Aikido Security Platform:

Aikido is another cornerstone of our security strategy. This all-in-one application security platform offers a comprehensive set of tools for advanced code and cloud vulnerability assessment and scanning.

Threat modeling:

Threat modeling is a systematic approach used to identify, analyze, and address potential security threats to a system or application. This goes hand-in-hand with our shift-left security strategy. It involves understanding the assets to be protected, identifying possible attackers and their motivations, and determining the attack vectors they might exploit. By creating a model that represents these elements, we help organizations anticipate and mitigate risks early in the project’s development and before they manifest.

Here are just a few types of analysis and tests we use:

Static Code Analysis (SAST): Identifies vulnerabilities in our source code early in the development process.

Infrastructure Code Scanning (IAS): Ensures our deployment configurations are secure.

Open Source Dependency Scanning (SCA): Checks third-party libraries for known vulnerabilities.

Surface Monitoring (DAST): Scans for potential vulnerability on the production application.

Malware Detection: Keeps our systems clean from malwares in packages which are not known in any CVE database.

License and SBOM Compliance: Manages software licenses and ensures transparency in our software supply chain.

A continuous development workflow for serious security

In our agile continuous development workflow, security updates are seamlessly integrated. Here’s a snapshot of how we manage it:

  1. Identify: Continuous monitoring tools flag any vulnerabilities.
  2. Assess: Our security team evaluates the risks and prioritizes updates.
  3. Develop/mitigate: Developers create patches or updates in the next sprint cycle.
  4. Pentest: Updated code undergoes rigorous testing, including automated security tests.
  5. Deploy: Once tested, the update is deployed, often through automated pipelines.
  6. Monitor: Post-deployment, the system is closely monitored to ensure the update’s effectiveness and stability.
Developing process

This proactive approach ensures that security is always at the forefront, minimizing risks and maintaining system integrity.

Keeping up with the game

Staying ahead of potential vulnerabilities through timely security updates and comprehensive security solutions is crucial. We continuously invest in advanced tools and practices to protect our projects and ensure compliance with regulatory standards. By doing so, we not only safeguard our clients' data but also fortify our reputation as a leader in secure application development and solutions management.

Not sure if your web security is up to date? No worries, we're here to take care of it for you! Let's talk!