Shift Left is Dead: A Post Mortem
I’ve had countless conversations with CISOs and security leaders at Fortune 500 companies, particularly in the financial services industry. One theme I’ve heard consistently from these leaders is about the challenges they’ve faced with well-intentioned "shift left" initiatives.
The goal of shift left — to catch vulnerabilities early in the software development lifecycle (SDLC) — is sound and critically important. But, when it comes to results, the overwhelming majority of security leaders are saying that, despite investment in multiple tools and processes, most of their organizations still find an unacceptably high number of vulnerabilities in production.
In fact, over the past five years, HackerOne's community has identified over 70,000 vulnerabilities in production systems for financial services companies alone.
Because every blog post in 2024 needs to include AI, I asked it to help me commemorate the passing of shift left with an image. I think it nailed it.
So, where did we go wrong? After digging into this question, my team and I have identified several key issues:
- Workflow Disruption: Shift left tools often fail to seamlessly integrate with developers' established workflows, requiring context switching that compounds across multiple tools.
- False Positives: Each tool introduces its own flavor of false positives, creating noise and eroding developer trust and engagement.
- Lack of Actionability: Context is king. Developers view many alerts as non-actionable, either due to a lack of clarity or because addressing them requires significant effort outside their current flow.
- Prioritizing Security Over Productivity: Most of these tools explicitly prioritize security concerns over developer productivity, leading to frustration and disillusionment.
Shifting To Developer-first Security
Ultimately, these issues stem from a failure to truly prioritize and design for the developer experience. However, the good news is that developer attitudes towards security are shifting rapidly. GitLab's recent survey found that 97% of developers now feel responsible for application security, up from just 50% in 2019.
Still think developers don't care about security? Think again. If you ever find yourself repeating this antiquated gripe, it's time to let the past die.
To succeed, we need to embrace this change and re-orient our approach:
- Prioritize developer experience and satisfaction as a core KPI for shift left initiatives and tools. Measure it constantly, even if it's as simple as a "thumbs up/thumbs down" rating.
- Design tools and processes to integrate seamlessly with developer workflows and minimize disruption.
- Strive to provide clear, actionable guidance with every alert, minimizing noise and low-value interruptions.
Discover Vulnerabilities Earlier With Code Security Audit
At HackerOne, we've embraced this mindset with our code review as a service offering. By relentlessly focusing on developer experience, we've achieved a 96% developer satisfaction rate — almost unheard of for a security tool.
The path forward is clear: by building a new generation of security tools designed with developers at the center, we can finally realize the promise of catching vulnerabilities early and often. The security outcomes will follow naturally from an engaged, empowered development team that embraces security as part of its mission, and the security team as a trusted partner.
The shift left paradigm isn't dead, but it does need a hard reboot. By learning from the failures of the first generation and committing to a developer-first mindset in the second generation, we can still achieve the resilient, proactive security posture we all strive for.
To learn more about how HackerOne can help you, schedule a time to talk or learn more about our code security audit.
The 7th Annual Hacker-Powered Security Report