Shift left the right way - creating more secure apps
June 12, 2025 // 2 min read
Bring security to your developers, and developers to your security, the right way.
Published via GitHub Executive Insights
We often hear the phrase "shift left" in the world of DevSecOps as the standard way of improving security in our applications. But what exactly does shift left mean? And how do we do it the right way?
Software Engineer Angela Wen joined Christopher to share her own experience with shift left. She starts by describing exactly what's meant by the phrase, and how it can fit into the development lifecycle. She highlights a couple of key challenges we can face in getting the approach right, from the fact that software engineers aren't typically security experts, and how we need to ensure we're getting the right information at the right time.
Field Services Director Dan Shanahan calls in to talk about where shift left can often fail, and provides some guidance on how to ensure success. He highlights the importance of the experience for teams, developers, and security professionals, and providing the right resources to be successful.
With this background, Angela then walks us through a couple of the core tools available to us to drive secure software development. She starts by introducing code scanning, which traditionally meets developers at the time of the pull request (PR). This is the perfect time to let the developer know there's a potential security flaw, as they're looking for feedback on the code they've created. GitHub Copilot Autofix can even provide suggested remedies right inside the pull request, allowing the developer to commit the code with just a couple of clicks. In addition, campaigns allow teams to group together existing security tech debt and automate the process of generating fixes.
Beyond vulnerabilities introduced in code are leaked tokens. These are particularly dangerous as once they're in the codebase they're leaked, and it requires rotating the key, updating services, and other tasks to mitigate the risk. As Angela highlights, with secret scanning push protection these tokens can be blocked on push, meaning they never find their way into the codebase in the first place.
We close the conversation talking about the importance of the human factor in it all. There can be some tension between security teams and developers, which isn't helpful for anyone. At the end of it all, the core principle of ensuring everyone's needs are met helps drive success for everyone.
Docs
- What is DevSecOps?
- Responsible use of Copilot Autofix for code scanning
- Best practices for participating in a security campaign
- Finding leaked passwords with AI: How we built Copilot secret scanning
- Why application security tools fail and how DevSecOps fixes security debt
Tools
Want to learn more about the strategic role of AI and other innovations at GitHub? Explore Executive Insights for more thought leadership on the future of technology and business.
Tags