Shift-left security
Shift-left security moves security activities — threat modelling, static analysis, dependency scanning, secret detection — earlier in the development lifecycle, ideally into the developer's IDE and PR workflow. The framing addresses the historical pattern where security review came after design and code was complete, producing expensive late rework.
The practice cluster: SAST scanners run on every PR (Semgrep, CodeQL, Snyk), dependency scanners catch known vulnerabilities (Dependabot, Snyk, Trivy), secret scanners block committed credentials (Gitleaks, TruffleHog), and threat modelling happens at design time rather than at security-review time. The benefit is economic — late security fixes are 10-100x more expensive than catching them early — and cultural — security becomes a developer concern rather than a separate team's gate. The trap is gate proliferation: too many noisy security checks teach developers to ignore the warnings. Healthy shift-left tunes the signal-to-noise ratio aggressively.
Related terms
- OWASP Top 10
The OWASP Top 10 is a community-curated list of the most critical web application security risks, published every 3-4 years by the Open Web Application Security Project.
- Principle of least privilege
The principle of least privilege is the security rule that every user, process, and system should have only the minimum permissions needed to do its job — no extra access 'just in case'.
- Software bill of materials (SBOM)
A Software Bill of Materials is a machine-readable inventory of every component, library, and dependency in a software artefact — typically in SPDX or CycloneDX format.