Intone the words ‘shift left’ to any developer, and you are likely to elicit a tired smirk and a knowing grin. The unspoken reality? The initial momentum behind ‘shift left’ has faded as the harder parts of shifting left have proven more resistant to handing off to application developers.
In theory, bringing security, QA and application delivery configuration early in the development lifecycle should empower developers, accelerate code deploys and improve software and application quality. In practice, various organizations are struggling to fully integrate these practices. Better developer tooling for writing the code is not the issue; today, IDEs and code repositories are incorporating several capabilities, from AI code recommendations to enhanced linting and automated basic QA. Rather, it is the discipline furthest from the developer’s original domain that is proving the stickiest to shift.
To kick-start shift left again, we need to refocus on empowering developers with tools that make this post-coding work more efficient and less cumbersome. This means providing them with better configuration options for application delivery and security controls, as well as enhanced observability tools that make it easier to understand and troubleshoot application performance issues.
Automation can play a critical role by streamlining tasks such as version upgrades and certificate management to reduce the manual workload that often stalls security and application delivery optimization efforts. Platform Ops can lay down the paved paths for developers to make it easier for them to observe, manage, optimize and secure modern applications. In an ideal shift-left future, developers, DevOps, network operations, security operations and platform operations can work together and share knowledge and capabilities to make shifting left feel natural and painless.
The Original Sin of Shift Left
Shift left emerged alongside a host of trends driving the disaggregation of monolithic compute stacks and distributed infrastructure and coding. With the early mega web applications such as Twitter and nascent cloud and then container management solutions, the old mode of waterfall-based development became a massive hindrance to high-speed code development.
First came DevOps, which endowed development teams with their own experts in security and application deployment and delivery. But DevOps proved yet another bottleneck; if a team managed a handful of microservices, then it only made sense that each service owner (a developer) should fully control their own fate and exercise all the capabilities required to run modern applications. What’s more, the areas that DevOps was solving for grew far more complex as applications ran in multiple environments or clouds with numerous interlocking APIs and a far greater attack surface. For instance, for developers, the idea of going beyond default deployment configurations for security and load balancing meant a deep dive into networking and security manuals. Automation and easy insight had yet to reach that realm.
But that tide is shifting. Spurred by platform ops teams tasked with making developers even more productive and independent, new developer platform tools such as Backstage Automate and help make transparent what was formerly tribal knowledge or RTFM. Developer platforms provide a centralized hub where developers can access all the information and tools needed to build and manage applications, including documents, service and API catalogs, infrastructure information and CI/CD information. By providing a single repository for all the things, these platforms can help developers streamline their workflow and improve development efficiency; they essentially act as a ‘single source of truth’ for all things related to their projects.
However, this only gets us halfway there. Modern application delivery is incredibly dynamic, requiring low-latency observability and access to the latest security and configuration updates. While observability tools can be set up to offer higher-level insights, a granular exploration into performance is often a bridge too far for already harried developers.
As the gap between zero-day PoC and exploit in the wild continues to shrink, developers have less time to secure their applications and can no longer rely on semi-manual methods. Particularly in the growing area of expensive and high-capacity AI applications, developers must deploy but also tap intelligence on how to optimize the economics, geography and overall latency of the applications.
Automation Plus Insights to Make Every Dev a SuperDev
This is where platform ops is now heading. Of the aforementioned gaps, security is the most evolved, with various tools automatically updating open-source software, containers and packages. However, automation alone is not sufficient. Insight into whether an update will introduce a breaking change and whether it is needed if security controls block the exploit upstream or downstream remains invaluable.
In addition, configuration remains a major problem with myriad manual opportunities for inadvertent introduction of security and performance problems. Developers laboring under their own language and YAML can’t rightly be expected to also master the vagaries of configuration languages and terms specific to each piece of infrastructure.
The path forward for shift left requires a partnership between automation and insight. While automated tools can handle routine security updates and, to a lesser degree, configuration management, developers still need the visibility and understanding to make informed decisions about their applications. Systems that supply easy updates and automation of formerly manual tasks, such as one-click multi-instance updates for container fleets, and necessary context will both enable and educate developers to make the next leap without adding excessive toil. Some of the newer AI tools for infrastructure management are heading in this direction, as are recommendation engines that infuse actionable suggestions into traditional observability stacks. By combining intelligent automation with context and suggestions, we can create an environment where shift left becomes not just feasible but natural, allowing developers to be equally effective across their entire application delivery value chain, from code to security to application delivery and beyond.
