Table of content
Shift Left comes from the way a Software Development Life Cycle is presented with its 4 steps: Develop, Build, Test and deploy. Developers are to the left of the process. Anything that is moved to them: security but also testing is considered shift left.
At the core of the shift left approach, it is the idea that processes need to shift earlier in the software development process, where the developers are. By moving steps like testing and security to the development stage, fewer mistakes are allowed to pass through advanced stages of the Software Development Lifecycle. It usually means less work for QA and less remediation costs for business.
As DevOps is quickly gaining momentum everywhere, developers and cybersecurity teams are faced with new challenges: information systems are progressively being decomposed as a mesh of distributed (micro)services all over the world, leading to an explosion of interconnectedness and making the idea of central supervision worthless.
Companies are therefore starting to understand that cybersecurity concerns require the same kind of culture shift that moved the industry forward twenty years ago and that while collaboration is still a necessity, it cannot be sufficient.
The Cloud Security Alliance (CSA) put it very clearly: “Security can be achieved only when it has been designed in. Applying security measures as an afterthought is a recipe for disaster”.
This is exactly why the DevSecOps movement emerged in the first place, but shifting left security also means that you need to provide developers with the tools to do their job securely without adding extra work. In other words, it means baking security best practices right into the developer’s toolchain. Fortunately, modern continuous integration pipelines are the perfect place to run custom automated security checks to find vulnerabilities.
A good example of shift left security is the implementation of automated vulnerability detection made at the developer level directly on the code. GitGuardian secret detection is a good illustration of this approach put into practice and you can read a more detailed article about this on our blog.
By better integrating application security as a routine, teams can achieve higher levels of software delivery performance and build more secure applications.
Shift left security will ensure that:
Shifting security left is basically making security an intrinsic part of development.