CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Shift-Left Security (DevSecOps)

Security PHP 5.0+ Beginner
debt(d7/e7/b7/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7), because the *absence* of shift-left security — i.e., security only tested at staging or production — is invisible in day-to-day development. The detection_hints note the code pattern is 'No SAST tool in CI pipeline; security only tested in staging or production.' Tools like semgrep, phpstan, psalm, and snyk can catch issues once added, but the organisational/process gap itself is not flagged by any automated tool — it requires deliberate audit or review to notice. Slightly better than d9 because a CI pipeline review or a failed deployment gate can surface it before production.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7), because the quick_fix suggests adding SAST tools to CI as a starting point, but the common_mistakes reveal the full remediation spans tooling (IDE plugins, CI gates, dependency scanners), developer training, and cultural change — all cross-cutting concerns. It is not architectural rework (e9), but it is well beyond a single-component fix, touching every team workflow, build pipeline, and development practice.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (e7 → b7), because shift-left security applies across all contexts (web, api, cli) and affects every development phase — design, coding, CI, review, and release. The common_mistakes and misconception confirm that without it, every downstream decision about what gets shipped is shaped (or mis-shaped) by the absence of embedded security practices. It doesn't quite reach b9 (rewrite-or-live-with-it) but every change stream is influenced by whether or not this practice is in place.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap (contradicts how a similar concept works elsewhere)' (t7), because the misconception is explicit: developers naturally interpret 'shift-left security' as 'run a pentest earlier,' which is a point-in-time activity, not the embedded, continuous, multi-phase practice the term actually means. This contradiction between the intuitive interpretation (move one activity left) and the correct interpretation (change the entire culture and process) is a well-documented gotcha that most teams fall into, making it a serious cognitive trap.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

DevSecOps early security testing security in SDLC

TL;DR

Integrating security practices earlier in the development lifecycle — at design and coding time — rather than as a final gate before release.

Explanation

Shift-left security moves security from a release-time gate (pen test, audit) to an integral part of every development phase: threat modelling during design, SAST in the IDE and CI pipeline, dependency scanning on every commit, security-focused code review, and developer security training. DevSecOps embeds security tooling directly in the CI/CD pipeline so vulnerabilities are caught within minutes of introduction rather than weeks later. The cost of fixing a vulnerability found at design time is orders of magnitude lower than one found in production.

Common Misconception

Shift-left security means running a pentest earlier in the process. It means embedding security into every development phase — threat modelling at design, SAST in CI, dependency scanning on commit — not just moving one activity earlier.

Why It Matters

Shifting security left moves it earlier in the development cycle — finding a vulnerability in code review costs 10× less than finding it in QA, and 100× less than finding it in production.

Common Mistakes

  • Security review only at release — vulnerabilities are found when they are most expensive to fix.
  • Developers with no security training — they cannot identify issues even with the right tools.
  • Static analysis tools not in developer IDE — feedback only comes in CI, not during writing.
  • Treating shift-left as 'run a scanner' without changing the development culture.

Code Examples

✗ Vulnerable 
# Traditional (shifted right) security pipeline:
# Code → Build → Test → Stage → Pentest → Fix → Release
# Pentest finds SQLi → 3 weeks to fix → missed release window

# Shift-left pipeline:
# Code (IDE lint) → PR (SAST scan) → Build → Test (DAST) → Release
# SQLi caught by SAST in PR → fixed in 10 minutes
✓ Fixed 
# Shift left = find vulnerabilities earlier (much cheaper to fix)

# Level 1 — Developer (IDE / pre-commit hook)
$ vendor/bin/phpstan analyse --level=6
$ vendor/bin/psalm --taint-analysis  # tracks XSS, SQLi data flows

# Level 2 — CI (every PR)
$ composer audit                     # known CVEs in dependencies
$ semgrep --config=p/php-security src/  # SAST patterns

# Level 3 — Staging (pre-deploy)
$ docker run owasp/zap2docker-stable zap-baseline.py -t https://staging.yourapp.com

# Level 4 — Production
# Bug bounty, annual penetration test, anomaly monitoring

# Rule of thumb:
# Dev fix: minutes  |  QA fix: hours  |  Prod fix: days + incident response
Added 15 Mar 2026
Edited 22 Mar 2026
Views 47

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 2 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 2 pings M 1 ping T 2 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 1 ping T 1 ping W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 SEMrush 5 Scrapy 5 Google 4 Ahrefs 4 ChatGPT 4 Unknown AI 3 Perplexity 2 Claude 1 Meta AI 1 Bing 1 PetalBot 1
Also referenced
Static Analysis 106 Continuous Integration (CI) 72 Security by Design 59 Threat Modelling 47
How they use it
crawler 33 crawler_json 4 pre-tracking 1
Related categories
security 7.8k general 3k devops 2.2k
DEV INTEL Tools & Severity
🔵 Info ⚙ Fix effort: Medium
⚡ Quick Fix
Add phpstan/psalm + semgrep security rules to your CI pipeline so security issues fail the build before code reaches review
📦 Applies To
PHP 5.0+ web api cli
🔗 Prerequisites
🔍 Detection Hints
No SAST tool in CI pipeline; security only tested in staging or production
Auto-detectable: ✓ Yes semgrep phpstan psalm snyk
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update
✓ schema.org compliant