Skip to content
Unlock AI’s true impact across the SDLC. Explore key findings from Gartner®.

Shift left the right way - creating more secure apps

Bring security to your developers, and developers to your security, the right way.

We often hear the phrase "shift left" in the world of DevSecOps as the standard way of improving security in our applications. But what exactly does shift left mean? And how do we do it the right way?

Software Engineer Angela Wen joined Christopher to share her own experience with shift left. She starts by describing exactly what's meant by the phrase, and how it can fit into the development lifecycle. She highlights a couple of key challenges we can face in getting the approach right, from the fact that software engineers aren't typically security experts, and how we need to ensure we're getting the right information at the right time.

Field Services Director Dan Shanahan calls in to talk about where shift left can often fail, and provides some guidance on how to ensure success. He highlights the importance of the experience for teams, developers, and security professionals, and providing the right resources to be successful.

With this background, Angela then walks us through a couple of the core tools available to us to drive secure software development. She starts by introducing code scanning, which traditionally meets developers at the time of the pull request (PR). This is the perfect time to let the developer know there's a potential security flaw, as they're looking for feedback on the code they've created. GitHub Copilot Autofix can even provide suggested remedies right inside the pull request, allowing the developer to commit the code with just a couple of clicks. In addition, campaigns allow teams to group together existing security tech debt and automate the process of generating fixes.

Beyond vulnerabilities introduced in code are leaked tokens. These are particularly dangerous as once they're in the codebase they're leaked, and it requires rotating the key, updating services, and other tasks to mitigate the risk. As Angela highlights, with secret scanning push protection these tokens can be blocked on push, meaning they never find their way into the codebase in the first place.

We close the conversation talking about the importance of the human factor in it all. There can be some tension between security teams and developers, which isn't helpful for anyone. At the end of it all, the core principle of ensuring everyone's needs are met helps drive success for everyone.

Docs

Tools

Share
TagsGithub Advanced Security

Explore other resources

What AI Means for the Future of DevOps

A dark background with an array of AI-themed shapes and illustrations are blurred behind the foreground text, which reads "AI-driven DevOps for modern software development". The accompanying description highlights how combining AI and DevOps platforms can lead to innovative solutions at scale.

Harnessing AI's full potential isn't just about boosting productivity in isolated phases—it's about driving real organizational value across the entire software development lifecycle.

Learn more

The enterprise guide to end-to-end CI/CD governance

In the image, there is a dark background with various Enterprise-themed shapes and illustrations. A blur filter has been applied to the background. The text in the foreground reads "The enterprise guide to end-to-end CI/CD governance. How to build governance and security into enterprise CI/CD pipelines."

Acomplete guide on how to build governance and security into enterprise CI/CD pipelines.

Learn more

AI Will Not Replace Software Engineers (and May, in Fact, Require More)

Explore the current and future impact of AI on developers and see why humans will always be essential to delivering innovative software in this report.

Learn more