* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/category/secure-the-cloud/)
* 4 Practical Steps for 'Sh...

# 4 Practical Steps for 'Shift Left' Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F07%2F4-practical-steps-shift-left-security%2F)  
[](https://twitter.com/share?text=4+Practical+Steps+for+%27Shift+Left%27+Security&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F07%2F4-practical-steps-shift-left-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F07%2F4-practical-steps-shift-left-security%2F&title=4+Practical+Steps+for+%27Shift+Left%27+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2019/07/4-practical-steps-shift-left-security/&ts=markdown)  
\[\](mailto:?subject=4 Practical Steps for 'Shift Left' Security)  
Link copied  
By [Matthew Chiodi](https://www.paloaltonetworks.com/blog/author/matthew-chiodi/?ts=markdown "Posts by Matthew Chiodi")  
Jul 23, 2019  
5 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[DevOps](https://www.paloaltonetworks.com/blog/tag/devops/?ts=markdown)  
[Prisma](https://www.paloaltonetworks.com/blog/tag/prisma/?ts=markdown)

This post is also available in: [简体中文 (Chinese (Simplified))](https://origin-researchcenter.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=zh-hans "Switch to Chinese (Simplified)(简体中文)") [繁體中文 (Chinese (Traditional))](https://origin-researchcenter.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=zh-hant "Switch to Chinese (Traditional)(繁體中文)") [日本語 (Japanese)](https://origin-researchcenter.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja "Switch to Japanese(日本語)") [한국어 (Korean)](https://origin-researchcenter.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ko "Switch to Korean(한국어)") [Português (Portuguese (Brazil))](https://origin-researchcenter.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=pt-br "Switch to Portuguese (Brazil)(Português)")

Since the beginning of modern computing, security has largely been divorced from software development. [Recent vulnerability research](https://www.paloaltonetworks.com/resources/infographics/2019-state-of-the-industry-publicly-exposed-vulnerabilities) confirms this. Consider that over the past five years, out of all published vulnerabilities, 76% were from applications. Given this radical shift in attacker focus, it's time to embed security with development. The best way to get this done is to implement a shift-left security strategy.

## **Defining Shift Left Security**

In its most simple terms, "shift left" security is moving security to the earliest possible point in the development process. Modern [CI/CD](https://dzone.com/articles/what-is-cicd) typically involves an eight-step process as shown in Figure 1 below. Many security teams only become involved in the concluding steps of operations and monitoring. Consider that shift-left security is good for reducing not only cyber risk but also cost. The System Sciences Institute at [IBM](https://www.researchgate.net/figure/IBM-System-Science-Institute-Relative-Cost-of-Fixing-Defects_fig1_255965523) found that addressing security issues in design was six times cheaper than during implementation. The same study also found that addressing security issues during testing could be 15 times costlier.

Being intentional about embedding security in each of these steps starts with a clearly defined strategy.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Shift-Left.png)  
[![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Shift-Left.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Shift-Left.png)

Figure 1: CI/CD

**Step 1: Define your shift-left security strategy**

The first step of any journey is to define where you intend to go. Do not underestimate the power of a concisely (ideally one-page) written strategy document. It is critical to define what shift-left means in *your* organization. This is about painting the most vivid picture possible for your teams so they know what success looks like. Key items to include in this document are vision, ownership/responsibility, milestones, and metrics. Expect the strategy document to mature over time and don't spend too much time trying to perfect it. Iteration over time is essential.

**Step 2: Understand where and how software is created in your organization**

Perhaps one of the most challenging aspects of shifting security left is first getting a handle on how and where software is created in your organization. Depending on the size of your company, this could run the gamut from straightforward to extremely challenging. This step is significant because the end result is what allows the security team to understand where they can actually move security closer to development. Large organizations that have not undertaken this process will likely spend a few months digging and taking development teams out to lunch (food always seems to work) when geography permits. Oftentimes, development is outsourced to multiple vendors, which will require additional work and sometimes contract reviews. Small and medium-sized organizations will find this step relatively straightforward but equally rewarding.

The goal of this step is to first look organization-wide and document the overall flow of software in your company. Medium to large organizations will want to start at the macro level and then drill into individual business units. It is highly likely that each business unit will have its own software development process and tools. Key items to identify in this phase include who is developing code (people), how it flows from development laptops to production (process), and which systems they are using to enable the process (technology). This may also be referred to as the CI/CD toolchain. Undoubtedly, much of your software development is being done in the public cloud.

**Step 3: Identify and implement security quality guardrails**

Quality assurance has always been part of the software development lifecycle. However, software quality has not historically included security. This must change, and the work done in the previous steps will arm you to do this. Every step of the software development process is an opportunity to give feedback and look for security issues. The most effective security teams start small. They arm development teams with simple and effective tools that become part of the daily development routine. [One such tool](https://github.com/bridgecrewio/checkov) was recently open-sourced by Palo Alto Networks, which means it is free to use.

**Step 4: Assess and continuously train development teams in secure coding**

Developers clearly know how to code, but do they know how to do it securely? Part of your journey to shifting security left is to ensure that those who do the majority of your coding create secure code in the first place. This is difficult to do if you have no objective measure of where their skills stand today and no plan to improve them continually over time. Given that in one survey, 19% of developers said they were unfamiliar with the [OWASP Top 10](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf), this is an area that should not be overlooked. Further underscoring this point was a recent survey published by DevOps service provider [GitLab](https://about.gitlab.com/developer-survey/2019/), which found that 70% of programmers are expected to write secure code, but only 25% think their organization's security practices are "good." If only 25% of developers feel this way, security teams have a lot of work to do in this area.

## **What Shift Left Security Looks Like**

Let's look at two scenarios where we've simplified development into build, deploy, and run phases. In Scenario No. 1, development starts without security. Software quality is only checked during runtime. This often results in an uneasy conversation between security and development when vulnerabilities are found.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-1-Shift-Left.png)  
[![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-1-Shift-Left.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-1-Shift-Left.png)

In Scenario No. 2, however, security teams have invested the time to understand the development process in their organization. They have also taken the time to embed security processes and tools in the CI/CD pipeline, resulting in automated security quality guardrails.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-2-Shift-Left.png)  
[![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-2-Shift-Left.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-2-Shift-Left.png)

## **Conclusion**

Utilizing the four steps above will put your organization on a solid path towards not only shifting security left but making security synonymous with development. As your organization moves towards shift left as part of its cloud journey, it's critical that security controls be automated and API-driven. Palo Alto Networks [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security#) empowers security teams to do exactly that by securing DevOps and your CI/CD pipeline.

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Uniting Dev and Sec Teams by Putting Security First](https://origin-researchcenter.paloaltonetworks.com/blog/2019/08/uniting-dev-and-sec-teams/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How Does DevSecOps Fit Into Your Digital Transformation?](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/digital-transformation/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### 3 Simple Techniques to Add Security Into the CI/CD Pipeline](https://origin-researchcenter.paloaltonetworks.com/blog/2020/10/cloud-add-security-cicd-pipeline/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Native Security: Intention vs. Practice](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-native-security-intention-practice/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How Prisma Cloud Secures Cloud Native App Development with DevOps Plugins](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-devops-plugins/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Palo Alto Networks to Integrate VM-Series and Prisma Cloud With AWS Outposts](https://origin-researchcenter.paloaltonetworks.com/blog/2019/12/palo-alto-networks-to-integrate-vm-series-and-prisma-cloud-with-aws-outposts/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language