Secure in Design: How Implementing Good Quality Methodology Delivers Better Software Security

Introduction to Secure by Design

During a recent webinar hosted by SonarQube, Jonathan Slaughter, Security Governance Officer at Sonar, discussed the critical intersection between code quality and software security. With over 20 years of experience in quality management and security across highly regulated industries including life sciences, healthcare, automotive, and energy, Slaughter presented a compelling case for implementing quality methodologies early in the development lifecycle. The core message was straightforward yet powerful: good quality is security, and doing it right the first time represents one of the most effective security practices organizations can implement.

Understanding Quality vs. Good Quality

A fundamental distinction emerged early in the presentation: quality and good quality are not synonymous terms. While quality itself is merely a measurement—defined as the standard of something measured against similar things—good quality is an outcome. Drawing from medical device and pharmaceutical industry definitions, good quality means a product is "effective and appropriate for present and anticipated future circumstances," operating as intended and fitting its purpose. To illustrate this difference, Slaughter used a golf analogy: two players might both shoot significantly over par, but one shoots 46 while the other shoots 48. The winner has better quality in relative terms, but neither demonstrates good quality in absolute terms. This distinction matters profoundly for security, where organizations must achieve secure outcomes rather than simply optimize relative metrics.

The Cost of Accepting Inadequate Standards

The presentation challenged organizations' acceptance of standards like 99.9% quality, demonstrating why such figures can be dangerously misleading when divorced from real-world consequences. At 99.9% success rates, approximately 4,400 newborns would be delivered to wrong parents annually, 880,000 credit cards would contain incorrect cardholder information, and 291 pacemaker operations would be performed incorrectly each year. These stark examples revealed that system measurements divorced from outcomes fail to capture actual impact. By shifting the focus from early detection and correction of defects in the design and development stages, organizations can dramatically reduce both security vulnerabilities and overall costs, optimizing time and energy where code quality directly stimulates secure code development.

Shifting Left: A Strategic Approach to Security

The webinar emphasized the importance of a "shift left" approach to quality and security implementation. This methodology prioritizes addressing quality issues as early as possible in the development lifecycle, particularly during the design stage, rather than attempting to remediate problems later in production. By tackling quality proactively from the beginning, organizations achieve the most accurate and secure software at the lowest cost. This approach aligns with decades of quality management principles from pioneers like Walter Shewhart and W. Edwards Deming, whose statistical quality control methods demonstrated that prevention is far more effective—and economical—than inspection and correction after the fact.

Key Takeaways

• Good quality is security: Implementing proper quality methodologies from the design stage is one of the single most effective security practices organizations can adopt
• Distinguish outcomes from metrics: Raw percentages like 99.9% quality are insufficient; organizations must focus on whether products achieve their intended purpose safely and securely
• Shift left in the development lifecycle: Addressing quality and security issues early in design and development phases is more effective and cost-efficient than fixing problems later
• Context matters: Quality measurements have no meaning apart from their organizational context and intended outcomes
• Quality and security intersect: Both disciplines aim to achieve specific outcomes; integrating them throughout development delivers optimal application health and maximum organizational value