By Zachary Malone, SE Academy Manager at Palo Alto Networks\n\nThe term \u201cshift left\u201d is a reference to the Software Development Lifecycle (SDLC) that describes the phases of the process developers follow to create an application. Often, this lifecycle is depicted as a horizontal timeline with the conceptual and coding phases \u201cstarting\u201d the cycle on the left side, so to move any process earlier in the cycle is to shift it left. \u201cShift-left security\u201d is the concept that security measures, focus areas, and implications should occur further to the left\u2014or earlier\u2014in the lifecycle than the typical phases that used to be entry points for security testing and protections.\n\nHow did the term shift-left security originate?\n\nShift-left security spawned from a broader area of focus known as shift-left testing. The term was first coined by Larry Smith in 2001. Since then, the concept of shift-left security has continued to gain traction as organizations increasingly rely on the cloud and as higher-profile cyberattacks increasingly target development tools and pipelines for apps that are cloud-delivered and\/or SaaS.\n\nWhy is shift-left security important in cybersecurity?\n\nSimply stated, while the advancements of cloud services for developer and product teams provide incredible speed and breadth in delivering applications, they have also led to some extreme challenges in maintaining regulation and control. Security needs to keep up with the fast-paced growth and agility of development cycles and be flexible enough to support a broad array of cloud-delivered solutions.\n\nThe only common denominator in these new development workflows is the code that underlies everything from application to infrastructure is open and manipulatable to the development teams. As such, bringing security all the way \u201cleft\u201d to the coding phase wraps security around the source of what malicious actors attempt to attack, leading to the greatest reduction in risk of exploits possible.\n\nWhat is the spin around this shift-left security buzzword?\n\nLike many cybersecurity buzzwords, many vendors treat shift-left security as \u201cthe only thing you need to be secure,\u201d as if it were a panacea to security issues . In reality, this breaks the idea of Zero Trust as you would be implicitly trusting the developer\/s and their coding abilities. Also, there is a distinct lack of consistent understanding and standard practice for how application development should work in a modern DevOps department\u2014such as code supply chain (open source packages and drift) or integration tools (Git, CI\/CD, etc.). This creates risks.\n\nFor example, if an organization believes, \u201cOur data storage is freely open to everyone on the internet, but that\u2019s not an issue because all the data is stored in an encrypted format,\u201d this belief allows attackers to simply make a copy of the data and then work to either brute force the decryption or look for the keys in whatever storage place they happen to be.\n\nWhat executives should consider when adopting shift-left security?\n\nShifting security left in your SDLC program is a priority that executives should be giving their focus to. The pervasive reach given to development teams to not only create business-critical applications via code but also to handle every step, from coding the application to its compilation, testing, and infrastructure needs with additional code, is an extraordinary amount of control and influence for a department that is singularly focused.\n\nExtending security into all the workflows that development teams are moving into is the core ideology of shift-left security. However, it would be exceptionally risky to abandon or discredit the security programs that remain in the later or \u201cright-side\u201d stages of the lifecycle. Security needs to be wrapped around the entire lifecycle, from building the code to staging the surrounding deployment to, ultimately, the application and environment handling it.\n\nHere are some questions to ask your team for a successful shift-left security adoption:\n\nReady to elevate the security of your development lifecycle? We can help.\n\nAbout Zachary Malone:\n\nZachary is the SE Academy Manager at Palo Alto Networks. With more than a decade of experience, Zachary specializes in cyber security, compliance, networking, firewalls, IoT, NGFW, system deployment, and orchestration.