We have dashboards for everything – project delivery, test pass rates, production health. But when someone asks “are we secure?” the answer is fundamentally different. We do not really know whether it is up or down. Security is a complicated thing to explain and a harder thing to measure.
Shifting left means going as early as possible in the pipeline. It starts with the code itself – SAST tooling, code spell checking, those squiggly underlines. But modern applications are mostly dependencies. Software composition analysis looks at your package.json, Gemfile, or pom.xml against vulnerability databases. And it is not just application code anymore: Dockerfiles, Kubernetes YAML, Terraform configuration – they all have dependencies, and they all need scanning. The software bill of materials captures everything that is inside your app.
Build chain integrity goes deeper. Signing artifacts with committer IDs, Docker content trust, multi-signing through Notary. Reproducible builds so the checksum is identical across machines. Tools like Bazel specifying the entire toolchain. DataDog even built their agent so you can follow the entire chain from build through signing to production deploy. The Volkswagen joke applies: if your test environment can be tampered with, your checksums mean nothing.
The hardest part is not scanning – it is triage. Once you start, you are drowning in vulnerabilities. You have to reason through actual attack factors, deployment context, whether something is in a demo environment versus production. Vulnerability fatigue is real. If you know you will never fix something, remove it from the list – it only adds noise. For the rest, prioritize by risk: is there an exploit available? Is there a fix? The cost of delay matters, borrowing from SAFe – if no exploit exists, you have saved cost by not fixing immediately.
Pivotal’s vulnerability budget concept was brilliant. Track vulnerabilities like SRE error budgets – set SLOs for your vulnerability window, maybe a 30-day maximum for fixes. Apply it to everything including your Kubernetes cluster version. You cannot fix everything, you cannot detect everything, and trying to creates a feedback loop so costly that teams spend all their time on it. You have to go with trust at some point. But the cultural shift matters most: having people think about security, building trust in what they do, and accepting that security people sometimes have to let go and educate rather than gatekeep.
Watch on YouTube – available on the jedi4ever channel
This summary was generated using AI based on the auto-generated transcript.