Software Development from Zero
by Sergey Okinchuk
Chapter 12: Building It Safe — Security & Privacy by DesignCommon Threats: OWASP Top 10
Topic 01

Shift-Left: Security in Every Phase

Concept

The biggest mistake in software security is treating it as a final checkpoint — a scan you run right before launch. Security added at the end is weak and expensive. Security by design (often called shift-left security) means thinking about safety in every phase, from requirements all the way to operations.

There's a familiar idea underneath this: the cost-of-change curve from Chapter 2 applies to vulnerabilities too. A security flaw caught in design is cheap to fix; the same flaw caught after a breach is catastrophic.

Think of designing a house with locks, wiring, and fire exits drawn into the blueprint — not nailing on deadbolts and stringing extension cords after the family has moved in. Safety built in from the plan is far stronger than safety bolted on later.

Shift left: build security in from the start, not bolt it on at the end
Design
Code
Build
Test
Production
The earlier (further left) a problem is caught, the cheaper and safer it is to fix.

Why Bolt-On Fails

Security tacked on at the end is the most expensive and least effective kind. By then, insecure assumptions are baked into the design and the code, and ripping them out is costly — sometimes impossible without a rewrite. A "we'll secure it before launch" mindset almost always ships something either insecure or hugely over budget. Real security comes from decisions made early, not a final scan.

Shift-Left

Shift-left means moving security thinking earlier — toward the left (the start) of the lifecycle. That means asking about threats during design, adding security checks into the continuous-integration pipeline, scanning dependencies before release, and so on. It's the same "catch it early, where it's cheap" principle as testing's shift-left, applied to safety. The earlier a security issue is found, the cheaper and easier it is to fix.

Threat Modeling, Lightly

A core early-phase practice is threat modeling: during design, simply asking "what could go wrong here, and who would want it to?" You imagine how an attacker might misuse the feature — steal data, impersonate a user, break something — and design defenses in from the start. You don't need to be a security expert; just asking the question early catches a surprising number of problems before they're built.

Everyone's Responsibility

Finally, security is not just a security team's job — it's built in by everyone. Developers writing safe code, testers probing for weaknesses, designers avoiding risky patterns: each contributes. A dedicated security team helps, but it can't bolt safety onto a product that wasn't built with it in mind. Like quality (Chapter 9), security is a shared, continuous responsibility, not a phase someone else owns.

When the Cadence team designs reminders, they don't wait for a security review. Right in the design discussion, Priya asks a simple threat-modeling question: "could one user somehow read or change another user's reminders?" That single early question leads them to build in an authorization check from the start — instead of discovering the hole after launch, when fixing it would mean a breach, an apology, and a scramble.

Common Confusions
  • "Security is the security team's job, not mine." It's built in by everyone — developers, testers, designers. A security team helps, but can't secure a product that wasn't designed with safety in mind.
  • "Add security right before launch." That's the most expensive and least effective time. Insecure assumptions get baked in early, so security has to be designed in from the start, not appended at the end.
  • "We're too small to be a target." Most attacks are automated and don't check your size — they scan the whole internet for known weaknesses. Being small is no protection at all.
Why It Matters
  • Framing security as a thread through every phase is the through-line for the whole chapter, and a direct echo of the cost-of-change curve.
  • "Shift-left" and "threat modeling" are real, widely used terms — knowing them lets you take part in security conversations on any team.
  • Understanding that security is everyone's job, not a final gate, changes how you write and review code from day one.

Knowledge Check

What does "shift-left security" mean?

  • Moving security thinking earlier in the lifecycle, where fixes are cheap
  • Saving up every bit of the security work until right before the launch day
  • Aligning the security settings to the left side of the screen
  • Handing all security work to a separate dedicated team to own

Why is bolting security on at the end ineffective?

  • Insecure assumptions are baked in by then, so they're costly to remove
  • Because security tools are only able to run during the launch event
  • Because adding security means writing entirely new features at the end
  • Because doing security late makes the finished program run slower

What is threat modeling?

  • Asking during design what could go wrong and who would want it to
  • A way of making the finished program run faster and more efficiently
  • A technique for writing the application's features much more quickly
  • A tool that automatically detects live attacks after the app launches

Why is "we're too small to be a target" a confusion?

  • Most attacks are automated and don't check how big or small you are
  • Because being small really does keep a company safe from all attacks
  • Because attackers deliberately choose to ignore all small companies
  • Because small applications simply run too fast for attackers to catch

You got correct