Re: Shift left? shift right?
It refers to the systems development lifecycle, which is often represented as a timeline that starts with inception or analysis, and ends with deployment or release.
Many managers tend to postpone security efforts up towards the end of this lifecycle, where they typically hope to solve the security issue with just a cheap penetration test, or worse, with a magic bullet security scanning tool. (The situation is even worsening at the moment with many companies increasingly relying on bug bounties.) This is what is referred as "pushing right".
On the other side you have some companies that try to address the security issue earlier in the cycle, sometimes even at the beginning of the lifecycle. This typically translates into identifying security requirements from the beginning of a project, identifying and addressing security or privacy threats directly during the design phase and setting up reliable tools/APIs/frameworks that prevent most vulnerabilities from even entering into the coding phase. All these are often referred to as "pushing left".
Voila, hope it helps :)
Biting the hand that feeds IT
