4 Common Challenges of 'Shift Left' Security

Involving security in the earliest stages of software development helps prevent defects, but it's not without problems.

Tzury Bar Yochay, Co-founder and CTO of Reblaze and co-creator of Curiefense

August 5, 2021

3 Min Read
Dark Reading logo in a gray background | Dark Reading

We are beyond the days when security involvement in development workflows was a "nice to have." In today's rapid innovation and development cycles, mature organizations put cybersecurity at the forefront of every decision.

As developer teams gain confidence in involving security in their projects and security professionals learn to work without hindering innovation, the new focus is on shifting left.

"Shifting left" refers to the process of moving security procedures (code reviews, analysis, testing, etc.) to earlier in the software development life cycle (SDLC) to prevent defects and find vulnerabilities as early as possible. It aims to save time and money by remediating issues in early stages before they become more expensive or catastrophic to fix.

The cost of fixing defects can increase by 640% from initial coding to final release, making tech leaders keen on making the shift left. Although this practice benefits both security and developer teams, they may face challenges like the following when implementing this practice.

Shifting Left Takes Mature Teams
The first challenge is that the approach requires mature teams. Teams with low to medium maturity face more struggles when introducing security into their SDLC. And these teams will need to create a systematic approach to working together that allows for both innovation and protection.

You cannot push good security practices in a project that doesn't already follow basic best practices, like having high test coverage and critical insight. Teams that implement shift-left security must have a baseline understanding of each other's functions in the process.

Developers Must Be Aware of Risks
Another common challenge is that developers must have a solid awareness of security risks. While this awareness is commonplace for security professionals, many developers are not used to thinking about security in tandem with development.

Security training and consistent checkups are essential in bridging the knowledge gap. Security and developer teams must work together to understand each other's workflows and best practices.

The OWASP's Top Ten is a good resource for developers who are newly involved in security. Through this resource, developers can learn about top security risks facing the industry and basic information to protect against them.

Growing Pains and Friction Are Common
With more interaction needed between developers and security teams in a shift-left process, organizations must be aware of and expect some friction as they adjust to each other's workflows.

Developers and security professionals have fundamentally different roles. A developer's main function is to introduce new features, focused on innovation, into the project. On the other end, security must be aware of potential vulnerabilities and prevent any gaps where exploitation and attacks could occur.

Security Must Be Engaged at Every Step
To increase effectiveness, security teams need to be engaged at all stages of the SDLC to get in front of potential risks. A common objection is that security will hinder the SDLC and productivity. However, the time spent monitoring for these risks can ultimately prevent larger and more costly events down the line.

Although shifting left may take some trial and error and a bit of patience from developer and security teams, organizations will reap the benefits. By having more insight into the development processes, security teams will be better equipped to protect developer projects and companies as a whole.

About the Author

Tzury Bar Yochay

Co-founder and CTO of Reblaze and co-creator of Curiefense

Tzury Bar Yochay is the CTO and co-founder of Reblaze. Having served in technical leadership in several software companies, Tzury founded Reblaze to pioneer an innovative new approach to cybersecurity. Tzury has more than 20 years of experience in the software industry, holding R&D and senior technical roles in various companies. Prior to founding Reblaze, he also founded Regulus Labs, a network software company. As a thought leader in security technologies, Tzury is frequently invited to present at industry conferences around the globe.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights