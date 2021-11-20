Within the emerging practice of DevSecOps there is no term more ambiguous than ‘shift left,’ a term likely to mean something subtly different depending on whom you ask. A commonly accepted view is that ‘shift left’ for security fosters the adoption of security practices as early as possible in the development lifecycle. This includes activities such as threat modeling, capturing security requirements, architecture review, and most vitally the integration of security testing tooling within developers’ native environments. For developers, this requires developer-friendly security tooling, typically operating with low latency, low in false positives, and adding value to the developer workflow. For security teams, this ‘shift left’ approach has meant developing a new set of skills, namely becoming familiar with development tools (think Git, CI/CD pipelines, containers, etc.) and delegating the operation of the tools to developers. Ideally, the ‘shift left’ approach allows security teams to focus more on policy, compliance, risk reviews, and mitigations — where security sets the ‘guardrails’ for developers who then operate their process within these rails.

