Interview › Security & DevSecOps
What does shift-left security mean, and why does it matter? [Basic]
Answer
Shift-left security means finding and fixing security issues as early as possible, ideally while code is being written or reviewed. It matters because early fixes are cheaper, faster, and less disruptive than production remediations.
Technical explanation
Shift-left includes IDE feedback, pre-commit secret scanning, pull-request SAST, SCA during build, and IaC policy checks before infrastructure is applied.
It reduces late-stage release blockers and turns security into normal engineering feedback.
It should be paired with shift-right controls such as runtime detection, audit logs, and incident response because not all risks are visible before deployment.
Hands-on example
Example workflow: a developer opens a pull request. The PR runs SonarQube analysis, dependency review, Trivy image scanning, and Checkov/Terraform policy checks. The developer gets line-level comments and fixes the issue before merge instead of waiting for a quarterly penetration test finding.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]