What is “shift left” security?

Software development pipelines typically cycle through key four processes — design, development, testing and software or update releases. Traditional pipelines perform quality and security tests only after completing the development phase. Ofcourse there will always be things to fix in code. However if these need architectural changes then fixing them in the end will be very expensive. Once issue is detected at this stage, it takes a really long time to access and design appropriate remediation. There will be processes to follow, timelines to follow and ofcourse additional testing. If its a complex software with too many additional complex interconnected systems then its gets unmanageable to remediate these easily.

Shifting security to the left means introducing the security checks in the development phase. This means we are designing the codebase and supporting architecture to be secure from the start rather than making it a checklist to be checked at the end of software development cycle. The System Sciences Institute at IBM found that addressing security issues in design was six times cheaper than during implementation. The same study also found that addressing security issues during testing could be 15 times costlier. Shifting security left properly recognizes its importance and makes more individuals responsible for its implementation. Developers should be aware of the overarching security implications of their code, without relying on a dedicated team’s audits. That’s not to say a separate team is completely redundant: a pre-launch review is still a good idea but it should be less time-consuming if security’s already baked in from the beginning.

Security teams also need to understand the development team’s perspective too. Implementing the most stringent security measures can add code complexity, increasing the project timeline and make it impossible at times to be 100% compliant. This touches on project management teams and business stakeholders, both of which also benefit from better visibility into the app’s security posture.Beyond your software components, you must also look at your networking stack and any physical devices in your infrastructure. People who oversee these systems need to be informed of the company security baselines too.

“Shifting left” refers to elevating security’s position in the software development lifecycle to one of priority and continual reference. It challenges the perception that security’s often an afterthought, assessed hastily right before a new system launches. Tackling security on day one gives the teams greater peace of mind, more collaboration between team members, and earlier discovery of issues. You won’t be chasing security problems late in the day, as they’ll show up during planning, development, or code review. This helps releases flow smoothly and safely. So , better shift now than later. Have tooling which supports these both in early and later stage, try to have same system than using multiple systems which just creates confusion.


Technology geek 🤓 who still reads

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store