* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/)
* The Three T's of Shift Le...

# The Three T's of Shift Left Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F02%2Fcloud-3t-shift-left-security%2F)  
[](https://twitter.com/share?text=The+Three+T%E2%80%99s+of+Shift+Left+Security&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F02%2Fcloud-3t-shift-left-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F02%2Fcloud-3t-shift-left-security%2F&title=The+Three+T%E2%80%99s+of+Shift+Left+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2020/02/cloud-3t-shift-left-security/&ts=markdown)  
\[\](mailto:?subject=The Three T’s of Shift Left Security)  
Link copied  
By [Robert Haynes](https://www.paloaltonetworks.com/blog/author/robert-haynes/?ts=markdown "Posts by Robert Haynes")  
Feb 19, 2020  
4 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[30 Days of Cloud](https://www.paloaltonetworks.com/blog/tag/30-days-of-cloud/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)

To succeed in today's competitive environment, organizations need to aggressively cultivate innovation, velocity and economy: *innovation* to continue to delight customers with new offers, *velocity* to get there before competitors and *economy* to protect margins.

In order to meet these imperatives, organizations have reinvented the way they create and manage application development and deployment, not to mention the runtime platforms that they run on.

The phrase "[shift left security](https://www.paloaltonetworks.com/blog/2019/07/4-practical-steps-shift-left-security/?ts=markdown)" seems to come with a full complement of broad statements and untested assumptions. The one I see most often is "developers don't care about security." This is demonstrably false.

Developers think a lot about software quality. When security is a key component of quality, they intrinsically care about security.

## **Shift Left Security: The Three T's**

Everyone wants to write good code, it's just that sometimes the definition of "good" isn't as clear as it could be. Developers also need to be productive -- organizations need to get from great idea to delighted customer as quickly as possible. So developers want to write good code, create great software and hit the next sprint.

If your strategy for shifting security left comes only with added responsibility, it's unlikely to improve developer productivity, joy or flow. To avoid cognitive overload and developer burnout, the shift needs to be accompanied by what I'm going to refer to as "The three T's."

* Training
* Tools
* Teamwork

#### Training

Training is essential to enable developers to benefit from introducing security testing and practices early in the software development lifecycle.

Simply providing a dev team with a spreadsheet of discovered vulnerabilities, without the context needed to fix the identified issues and prevent them from reoccurring in the next feature implementation, is going to harm productivity, not help it.

Most developers are "lifelong learners," but they don't get the opportunity to learn secure coding and vulnerability remediation on the job. Fortunately, there are plenty of [training courses](https://www.paloaltonetworks.com/services/education?ts=markdown) available in a variety of formats to provide the skills and expertise your teams need to continuously improve application security posture.

#### Tools

While tools are not the full answer, the right tools in the right form-factor can make the difference between simply *wanting* to improve security and actually implementing a successful security practice.

As development methodologies, application architectures and runtime environments evolve, the attack surface area evolves alongside them. Cloud platforms, infrastructure-as-code and programming languages that rely heavily on packages with nested software modules all provide opportunities to introduce vulnerabilities into an application.

However, it's unrealistic to expect developers to become experts in AWS IAM policies, Kubernetes API admission control, Terraform best practices, and every NodeJS package their application uses, and still write great code with flow and joy. They need tools that [provide automated expertise](https://www.paloaltonetworks.com/blog/2019/12/cloud-native-security-platform-age/?ts=markdown) that can slot into their existing workflows and provide usable feedback as part of the software development process.

#### Teamwork

While we're supposed to leave the best until last, the reality is often that we leave the hardest until last. Teamwork -- or really, collaboration, which sadly doesn't begin with a "T" -- is the keystone of shifting left, but it can also be the most challenging piece.

While process and tools can be changed with comparative ease, mindsets and behaviors are harder to adjust. And without increased collaboration between security and development teams, much of the value of injecting security earlier into the software delivery lifecycle will be lost.

Shifting left doesn't mean that the development team should have a heavy new burden of complete responsibility for all security laid upon them. Nor can it mean that the security team should come in and dictate new procedures, controls and technology within the build and deploy pipeline.

While Mark Zukerberg might encourage you to "move fast and break things," a better mantra for shifting security left might be to "[move fast](https://www.paloaltonetworks.com/blog/2019/09/cloud-default-aggressive-cloud-security/?ts=markdown) but don't get hacked." Taking these two seemingly oppositional principles as your collaboration charter might give you a good place to start.

With this north star, the natural problem-solving nature of IT professionals can come to the forefront. Sharing responsibility for both security and velocity between teams is both a central DevOps theme and a powerful motivator of collaboration.

## **Conclusion**

With the right knowledge and tools in place, and with a shared imperative to accelerate the delivery of *secure* software, you significantly improve your chances of creating secure, high-quality software, and of hitting those sprint dates. You may even find your teams enjoy it.

You can learn more about the proper tools in our on-demand digital summit, [Cloud Native Security Live](https://register.paloaltonetworks.com/prisma-cloud-native-security-virtual-summit)*.*

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 3 Myths About Security in the Cloud](https://www.paloaltonetworks.com/blog/2020/04/cloud-3-myths-about-security-in-the-cloud/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Security 2021: 4 Key Trends You Shouldn't Miss](https://www.paloaltonetworks.com/blog/2020/04/cloud-security-2021/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### The Best Method to Secure the Cloud Starts Offline](https://www.paloaltonetworks.com/blog/2020/03/cloud-secure-the-cloud/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How Prisma Cloud Secures Cloud Native App Development with DevOps Plugins](https://www.paloaltonetworks.com/blog/cloud-security/cloud-devops-plugins/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Breaking Down Silos with DevSecOps](https://www.paloaltonetworks.com/blog/2020/03/cloud-break-silos-devsecops/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Securing Serverless Applications with Prisma Cloud](https://www.paloaltonetworks.com/blog/2020/03/cloud-securing-serverless/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language