* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/)
* Shift Left: Should You Pu...

# Shift Left: Should You Push It or Pull It?

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fshift-left-code-cloud-integration%2F)  
[](https://twitter.com/share?text=Shift+Left%3A+Should+You+Push+It+or+Pull+It%3F&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fshift-left-code-cloud-integration%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fshift-left-code-cloud-integration%2F&title=Shift+Left%3A+Should+You+Push+It+or+Pull+It%3F&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/shift-left-code-cloud-integration/&ts=markdown)  
\[\](mailto:?subject=Shift Left: Should You Push It or Pull It?)  
Link copied  
By [Georg Markarian](https://www.paloaltonetworks.com/blog/author/georg-markarian/?ts=markdown "Posts by Georg Markarian") and [Simon Melotte](https://www.paloaltonetworks.com/blog/author/simon-melotte/?ts=markdown "Posts by Simon Melotte")  
Oct 24, 2024  
5 minutes  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Shift-left](https://www.paloaltonetworks.com/blog/tag/shift-left/?ts=markdown)

In cloud-native development, managing security across every phase of the development lifecycle is critical. Whether working with Docker files, identity systems, microservices or serverless functions, each component presents security risks that must be addressed early.

Implementing code to cloud security ensures that every stage of development, from build to runtime, receives the necessary protection. The imperative is to mitigate risks that could otherwise lead to vulnerabilities post-release.

## Navigating Key Security Tools

The journey begins with [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown) and progresses to more comprehensive solutions like the [cloud-native application protection platform (CNAPP)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform?ts=markdown). Other critical tools include:

* **CIEM** ([cloud infrastructure entitlement management](https://www.paloaltonetworks.com/cyberpedia/what-is-ciem?ts=markdown))
* **DSPM** ([data security posture management](https://www.paloaltonetworks.com/cyberpedia/what-is-dspm?ts=markdown))
* **KSPM** ([Kubernetes security posture management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm?ts=markdown))
* **CDR** ([cloud detection and response](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-detection-and-response-cdr?ts=markdown))
* **CWP** ([cloud workload protection](https://www.paloaltonetworks.com/cyberpedia/what-is-cwpp-cloud-workload-protection-platform?ts=markdown))

While these tools integrate security into every stage of cloud-native applications, questions remain. Who's responsible for [shifting security left](https://www.paloaltonetworks.com/cyberpedia/shift-left-security?ts=markdown)? Is it the domain of [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops?ts=markdown), SecOps or CloudOps?
![A comprehensive view of the security lifecycle, starting with IaC scanning and progressing through runtime protection, demonstrating alignment between developers and operations teams.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330976-1.png)
**Figure 1**: A comprehensive view of the security lifecycle, starting with IaC scanning and progressing through runtime protection, demonstrating alignment between developers and operations teams.

## Identifying Security Challenges in Cloud Deployments

Consider a containerized application deployed on a managed [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown) infrastructure through a cloud provider like AWS, Azure or Google Cloud. Developers traditionally focus on meeting functionality deadlines, often overlooking security until the testing or production phase. When vulnerabilities emerge at these late stages, fixing them becomes complicated, as [microservices](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices?ts=markdown) lack on-the-fly patching capabilities.

CloudOps teams address these issues by leveraging tools like CSPM, CWP and [cloud detection and response (CDR)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-detection-and-response-cdr?ts=markdown). Developers adopt practices involving:

* **IaC Scanning** ([infrastructure as code](https://www.paloaltonetworks.com/cyberpedia/what-is-iac-security?ts=markdown))
* **SCA** ([software composition analysis](https://www.paloaltonetworks.com/cyberpedia/what-is-sca?ts=markdown))
* **SAST** ([static application security testing](https://www.paloaltonetworks.com/cyberpedia/what-is-sast-static-application-security-testing?ts=markdown))

These tools allow teams to detect security gaps early. The challenge lies in aligning them across teams --- making a strong case for shifting security left.

## Shielding Left and Right

Figure 2 illustrates a [containerized application](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown) running on an Amazon EKS cluster, exposing a service to the internet. The development team ensured security throughout the build process, shifting security left. After deploying the service, cloud security tools monitored for anomalies and zero-day vulnerabilities --- a practice known as shielding right.
![A cloud-native service deployed via Amazon EKS with a security-monitoring framework in place. Code-to-cloud security ensures smooth operation from the build phase to runtime monitoring.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330976-2.jpeg)
**Figure 2**: A cloud-native service deployed via Amazon EKS with a security-monitoring framework in place. Code-to-cloud security ensures smooth operation from the build phase to runtime monitoring.

Despite the precautions, a zero-day vulnerability emerged in production, exposing an endpoint to unauthorized access. Whether using [agentless or agent-based approaches](https://www.paloaltonetworks.com/cyberpedia/what-is-the-difference-between-agent-based-and-agentless-security?ts=markdown), the security team identified the attack path. The publicly exposed service was linked to a vulnerable package in the [container](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown) image.

The discovery raises several pivotal questionsh:

1. Is the service publicly accessible?
2. Is the vulnerability already exploitable?
3. Is a patch available?
4. Which packages are impacted?
5. Who relies on those packages?
6. What version resolves the issue?
7. How can the solution be communicated?
8. What steps are required to apply the fix?

![A vulnerability graph showing the relationship between an exposed service, its underlying package dependencies and associated risks.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330976-3.png)
**Figure 3**: A vulnerability graph showing the relationship between an exposed service, its underlying package dependencies and associated risks.

## Answering These Questions with Cloud to Code^TM^ Visibility

With a single, integrated platform, security teams gain visibility across the entire [software development lifecycle (SDLC)](https://www.paloaltonetworks.com/cyberpedia/sdlc-software-development-lifecycle?ts=markdown). For example, questions about exposure and exploitability are resolved quickly.
![A real-time view of an attack path, showing how security teams trace vulnerabilities from production back to their source code.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330976-4.png)
**Figure 4**: A real-time view of an attack path, showing how security teams trace vulnerabilities from production back to their source code.

By prioritizing business-critical applications, teams can map cloud to code vulnerability traces. The method answers package-related questions and identifies dependencies, allowing for efficient remediation.

A deeper dive into the [Docker](https://www.paloaltonetworks.com/cyberpedia/docker?ts=markdown) file reveals that a Python dependency caused the issue. The platform pinpoints the exact repository, owner and the required version to resolve the problem.
![Dockerfile analysis identifying the specific Python library responsible for the vulnerability and recommending a fix.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330976-5.png)
**Figure 5**: Dockerfile analysis identifying the specific Python library responsible for the vulnerability and recommending a fix.

## Streamlining Developer Communication

To fix the vulnerability, security teams submit a pull request to the developer responsible for the affected code. By avoiding disruptions or unnecessary meetings, this approach respects the developer's workflow. "Pulling security left" ensures that security fixes integrate smoothly into the development process.
![A pull request to the developer, communicating the required fix without interrupting workflows.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330976-6.png)
**Figure 6**: A pull request to the developer, communicating the required fix without interrupting workflows.

## The Case for a Unified Security Platform

Using a unified security platform provides several advantages:

* [**Full visibility** across the SDLC](https://www.paloaltonetworks.com/cyberpedia/what-is-secure-software-development-lifecycle?ts=markdown)
* **Tools for developers** to prevent issues early
* **Production security monitoring** to detect vulnerabilities post-release
* **Streamlined communication** between security and development teams

## Learn More

Prisma Cloud by Palo Alto Networks offers a solution that aligns with these goals. It boosts security outcomes, enhances developer productivity and encourages better collaboration across teams.

If you haven't tried our Code to Cloud platform, we invite you to experience best-in-class security with a free[30-day Prisma Cloud trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown).

*** ** * ** ***

## Related Blogs

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud to SOC](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud-to-soc/?ts=markdown)

[#### Introducing Cortex Cloud 2.0: Smarter Cloud Security for an AI-Driven World](https://www.paloaltonetworks.com/blog/cloud-security/cloud-security-platform-cortex-cloud-2-0/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud-Native Application Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### How Auto-Remediation Shifts the Odds in Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/auto-remediation-cnapp/)

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### Taking Cloud Security from Visibility to Prevention with eBPF](https://www.paloaltonetworks.com/blog/cloud-security/ebpf-cloud-security-real-time-protection/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### Overcoming Cloud Security Consolidation Challenges](https://www.paloaltonetworks.com/blog/cloud-security/cloud-security-consolidation-challenges/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection](https://www.paloaltonetworks.com/blog/cloud-security/kubernetes-attack-detection-response/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language