What is Shift Left Security?

Shift Left: where does it come from?

Shift Left comes from the way a Software Development Life Cycle is presented with its 4 steps: Develop, Build, Test and deploy. Developers are to the left of the process. Anything that is moved to them: security but also testing is considered shift left.

At the core of the shift left approach, it is the idea that processes need to shift earlier in the software development process, where the developers are. By moving steps like testing and security to the development stage, fewer mistakes are allowed to pass through advanced stages of the Software Development Lifecycle. It usually means less work for QA and less remediation costs for business.

---

Shift Left security: why choose this approach?

As DevOps is quickly gaining momentum everywhere, developers and cybersecurity teams are faced with new challenges: information systems are progressively being decomposed as a mesh of distributed (micro)services all over the world, leading to an explosion of interconnectedness and making the idea of central supervision worthless.

Companies are therefore starting to understand that cybersecurity concerns require the same kind of culture shift that moved the industry forward twenty years ago and that while collaboration is still a necessity, it cannot be sufficient.

The Cloud Security Alliance (CSA) put it very clearly: “Security can be achieved only when it has been designed in. Applying security measures as an afterthought is a  recipe for disaster”.

This is exactly why the DevSecOps movement emerged in the first place, but shifting left security also means that you need to provide developers with the tools to do their job securely without adding extra work. In other words, it means baking security best practices right into the developer’s toolchain. Fortunately, modern continuous integration pipelines are the perfect place to run custom automated security checks to find vulnerabilities.

A good example of shift left security is the implementation of automated vulnerability detection made at the developer level directly on the code. GitGuardian secret detection is a good illustration of this approach put into practice and you can read a more detailed article about this on our blog.

---

Shift Left Security: the benefits

By better integrating application security as a routine, teams can achieve higher levels of software delivery performance and build more secure applications.

Shift left security will ensure that:

• Vulnerabilities are not discovered late in the software development cycle.
• Notifications are sent whenever potential vulnerabilities are committed, enabling to quickly detect and correct security issues as part of the development phase.
• Developers improve on security knowledge by learning from their errors and apply best practices concerning code hygiene.
• The cost of remediation is the lowest possible as real-time is far less costly than fixing days laters at deployment or even worse when a penetration test report outlines the vulnerability

Shifting security left is basically making security an intrinsic part of development (see the article on Security As Code for more details).