Rethinking Shift-Left: More Than Just Eliminating Vulnerabilities?
Over the past few years, the concept of “shift-left” has dominated software security. The idea seems intuitive - catch vulnerabilities as early as possible in the development process, allowing teams to remediate issues long before they ever reach production. But after a recent discussions, I started thinking more critically about what shift-left actually delivers and, more importantly, where it might be falling short.
Shift-left isn’t about catching every vulnerability; in fact, that’s part of the problem. By overloading our process with too many tools that lack effective triage, we’re inadvertently creating overwhelming backlogs that hinder more than they help. True shift-left should streamline security efforts, focusing on actionable, high-impact issues instead of flooding teams with alerts that bury what really matters. It’s about saving engineers time and focusing on what actually matters. It’s less about throwing every possible tool (SAST, SCA, DAST, and beyond) into CI/CD pipelines and more about building a focused, production-informed approach to security that allows engineers to prioritize effectively.
This take aligns with critiques like those in the article “My Beef with ’Shift-Left’” [1], which argues that this approach, though well-intentioned, often leads to alert fatigue and frustration for developers. The overload of low-fidelity tools becomes a barrier to agile delivery, undermining developer productivity without necessarily solving core security problems. This setup can create an conflicting dynamic between security and engineering, where security is viewed as yet another roadblock in the path to delivering value.
Then there’s the question of cost, explored in “Shift Left Was Founded on a Lie” [2]. The article highlights that the often-cited cost-saving figures behind shift-left - like the famous claim that fixing bugs during design is 100x cheaper than after release - stem from outdated, unofficial research. The blunt reality is that if shift-left worked as promised, mature organizations wouldn’t have critical vulnerabilities in production today. Instead, many are still dealing with mountains of vulnerabilities, exacerbated by backlogs and endless alerts that provide little actionable insight.
So, what’s the alternative?
Maxwell’s perspective [1] focuses on a set of practical, production-informed priorities for API security that shift the focus from catching every possible vulnerability to creating security that is actionable, scalable, and meaningful in production. In his article you can find his wishlist.
As I reflect on this approach, I wonder if this still fits within the original concept of “shift-left.” Rather than pushing all security earlier in the development cycle, this feels like true DevSecOps, where security is woven into every phase of development and operations. Maxwell’s emphasis on runtime data, risk-based prioritization, and responsive controls fits well with a DevSecOps approach - one that brings development, security, and operations together under shared goals and pragmatic strategies.
The shift-left idea was initially about fixing vulnerabilities early, but Maxwell’s priorities reveal a bigger picture: using security to empower engineers and remove friction from the development process.
领英推荐
Tools alone won’t solve the problem - real change happens when we prioritize based on actual risk. For instance, metrics like KEV (Known Exploited Vulnerabilities) provide additional layers of context. Similarly, runtime agents offer insight into how vulnerable functions of a library are being executed, which can drastically change how they’re prioritized.
A Call for Pragmatism in Security
Shift-left, DevSecOps, or whatever term we settle on - the focus has to shift from endlessly finding vulnerabilities to meaningfully fixing and preventing them. The goal should be to keep security practical and aligned with engineering goals, so security becomes an enabler rather than a blocker. For those of us in security, here’s a question to consider: are we providing actionable insights that truly help engineers? Or are we contributing to a backlog that ultimately slows down progress?
As security continues to evolve, our role isn’t to make development harder; it’s to help teams build safely and deliver confidently.
Senior Application Security Engineer | Web Application Security
4 个月Agreed. Sometimes it is hard to determine in shift left what is a vulnerability and what is not because of for example environment maturity or different config. This can lead to a lot of noise which can be difficult to mark as false positives because of vulnerability chaining and the like. (Although comparison to live is always useful here). I have the idea of actually having non-functional security requirements documented up front so that a proper risk based approach to an app can be taken. With this method the shift left security tools would be packed into a toolbox and only the correct ones for the scenario are taken out and used which also keeps the pipe time short. For me this is a question of the shift left maturity journey ...starting out log everything. Middle ground, investigate deeper and finally tool selection based on the change being made. I would put the tools into docker for example so they can be switched in and out of the pipelines as needed and the decisions why they were used/not used recorded and audited
Sales Director - Fixing APIs, Preventing Breaches at 42Crunch - A Gartner Cool Vendor
4 个月Interesting article, we support this positive model!
Reshaping Application Security @Oligo Security
4 个月Javan Rasokat always with a fresh perspective
Spain and UK&I Enterprise Account Executive
4 个月Javier Rueda Pérez, this article released to day also seems to resonate with what you wrote