QA & Testing Basic
Shift Left Security
Practice of integrating security testing and controls earlier in the software development lifecycle, instead of leaving them for the end.
Pronunciation
/ʃɪft lɛft sɪˈkjʊərɪti/
"shift left si-KYOOR-i-tee"
Listen on:
Forvo
What is it
Shift Left Security means moving security testing and controls earlier in the software development lifecycle (SDLC).
The name comes from visualizing the SDLC as a timeline from left to right: “shift left” = move left = earlier.
Pronunciation
IPA: /ʃɪft lɛft sɪˈkjʊərɪti/
Sounds like: “shift left si-KYOOR-i-tee”
Common mistakes:
- ❌ “shift-left” (two separate words)
The traditional problem
┌─────────────────────────────────────────────────────────┐
│ TRADITIONAL MODEL (Security at the end) │
├─────────────────────────────────────────────────────────┤
│ │
│ Requirements → Design → Code → Test → QA → SECURITY │
│ ↑ │
│ │ │
│ "We found 47 critical vulnerabilities. │ │
│ Launch is delayed 3 months." ───────┘ │
│ │
│ Cost to fix bug: │
│ - In design: $100 │
│ - In code: $1,000 │
│ - In production: $10,000+ │
│ │
└─────────────────────────────────────────────────────────┘The solution: Shift Left
┌─────────────────────────────────────────────────────────┐
│ SHIFT LEFT MODEL (Continuous Security) │
├─────────────────────────────────────────────────────────┤
│ │
│ Requirements → Design → Code → Test → QA → Deploy │
│ ↑ ↑ ↑ ↑ ↑ │
│ │ │ │ │ │ │
│ Threat Security SAST DAST Pentest │
│ Modeling Review SCA IAST │
│ │
│ Security integrated in EVERY phase │
│ │
└─────────────────────────────────────────────────────────┘Tools by phase
| Phase | Tool | What it does |
|---|---|---|
| Requirements | Threat Modeling | Identifies threats early |
| Design | Security Review | Reviews architecture |
| Code | SAST (Snyk, SonarQube) | Static code analysis |
| Code | SCA (Dependabot) | Dependency review |
| Build | Container Scanning | Reviews Docker images |
| Test | DAST (OWASP ZAP) | Dynamic testing |
| Deploy | IAST | Runtime analysis |
Practical example: Pipeline with Shift Left
# .github/workflows/secure-pipeline.yml
name: Secure CI/CD
on: [push, pull_request]
jobs:
# 1. SAST - Static analysis (very early)
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run SAST
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# 2. SCA - Dependency analysis
dependency-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for vulnerabilities
run: npm audit --audit-level=high
- name: Snyk dependency scan
uses: snyk/actions/node@master
with:
command: test
# 3. Secrets scanning
secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan for secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
# 4. Container scanning
container-scan:
runs-on: ubuntu-latest
needs: [sast, dependency-check]
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Scan container
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
severity: HIGH,CRITICAL
# 5. DAST - Only if everything above passed
dast:
runs-on: ubuntu-latest
needs: [container-scan]
steps:
- name: OWASP ZAP Scan
uses: zaproxy/action-full-scan@v0.4.0
with:
target: 'https://staging.myapp.com'Benefits of Shift Left
| Metric | Without Shift Left | With Shift Left |
|---|---|---|
| Cost per bug | $10,000+ (production) | $100-1,000 (development) |
| Fix time | Days/Weeks | Hours |
| Vulnerabilities in prod | Many | Few |
| Release time | Unpredictable | Predictable |
| Team confidence | Low | High |
Practical case: Before vs After
Before (Security at the end)
Monday: Developer finishes feature
Tuesday-Thursday: QA tests functionality
Friday: Security team reviews
→ Finds SQL Injection
Next week: Developer fixes
→ Another QA cycle
→ Release delayed 2 weeksAfter (Shift Left)
Monday: Developer writes code
→ IDE shows SAST warning: possible SQL Injection
→ Developer fixes on the spot (5 min)
→ Push to repo
→ Pipeline runs SAST, SCA, container scan
→ All green ✅
Tuesday: QA tests, security already validated
Wednesday: Release on timeGradual implementation
Phase 1: Quick wins (Week 1-2)
# Add to your existing pipeline
- name: Dependency audit
run: npm audit --audit-level=high
- name: Secret scan
uses: trufflesecurity/trufflehog@mainPhase 2: SAST (Week 3-4)
- name: SAST scan
uses: snyk/actions/node@master
# Only fail on critical at first
with:
args: --severity-threshold=criticalPhase 3: Container Security (Month 2)
- name: Container scan
uses: aquasecurity/trivy-action@masterPhase 4: DAST (Month 3)
- name: DAST scan
uses: zaproxy/action-full-scan@v0.4.0Popular tools
| Category | Open Source | Commercial |
|---|---|---|
| SAST | Semgrep, Bandit | Snyk, SonarQube |
| SCA | OWASP Dep-Check | Snyk, WhiteSource |
| Secrets | TruffleHog, git-secrets | GitGuardian |
| Container | Trivy, Clair | Aqua, Prisma |
| DAST | OWASP ZAP | Burp Suite, Acunetix |
Metrics to measure success
| Metric | What it measures | Goal |
|---|---|---|
| MTTR | Mean time to remediation | < 24 hours |
| Escaped vulnerabilities | Bugs that reach prod | 0 critical |
| Scan coverage | % of code/deps scanned | > 90% |
| Pipeline time | CI/CD duration | < 15 min |
Related terms
- [[CI/CD]] - Pipeline where security is integrated
- [[DevSecOps]] - Security culture in DevOps
- [[SAST]] - Static Application Security Testing
- [[DAST]] - Dynamic Application Security Testing
Remember: Shift Left doesn’t mean eliminating security tests at the end—it means adding security at every phase. The earlier you detect a problem, the cheaper and easier it is to fix.