For years now, we have been speaking off rooftops and trying to get the community to shift left. And believe it or not, there are still communities out there that have yet to shift left. But what I propose today is that we shift ZERO. We bake security in right from the beginning. With the technology available to us today, it’s possible more than ever.
What Is Shift Left
Shift left has been a trend to incorporate security earlier in the application process. For example, instead of relying on just penetration testing for detecting security issues, we incorporate security tooling earlier in the development process to detect vulnerable code and libraries.
Don’t get me wrong, shift left has been successful and is in the right direction. (no pun intended)
What I’m calling for, is to keep moving in that direction. With all the AI tools available to use now, it’s easier more than ever to design and code securely right from the start!
We can see this with Vibe Coding.
Shift Left Example:
Review code for security issues
Shift Zero Example:
Build me a product has good security and has reduced or no vulnerability to OWASP Top 10 attacks
Of course, there is no such thing as zero vulnerabilities, but one can aspire. It’s a vibe coding prompt, relax.
Shifting Zero
Shifting Zero is when security is part of the build process from day 0, right at the beginning .
It’s when engineers have a security section on their PRD’s.
It’s when code is reviewed for security live while being developed.
It’s security BEFORE the PR.
Ever security engineer’s dream is for engineers to write secure code, right from the beginning.
What if that was possible, like now.
Imagine an engineer writing code and they are notified of security improvements in real-time.
Or even better, imagine an engineer writing code and the code is automatically updated in real-time to be more secure, right then and there.
Let’s be intentional about how we create code and applications.
Let’s stop the constant cat and mouse game of appsec. The gates and the struggles.
We all suffer and it’s a waste of time.
Let’s test for security, let’s build securely right from the beginning, by Shifting ZERO
This is the way.