Check Point® Software Technologies Ltd.(link is external) announced major advancements to its family of Quantum Force Security Gateways(link is external).
Detecting vulnerabilities early on in the software development life cycle has advantages, but in the real world, "shifting left" has many limitations.
Three crucial factors hinder the effectiveness of shifting left: test coverage, business context, and the disparity between production and pre-production environments. By critically examining and addressing these limitations, we can establish a more proactive approach to application security — ensuring that systems remain resilient by detecting vulnerabilities early on.
Let's dive in.
Limitation 1: Test Coverage
Some organizations decide to run application security testing tools on every piece of code. But there are multiple drawbacks to this approach.
Enterprises with large code bases suffer from test length. By the time tests finish running, engineers have switched to the next task and the scrum leader must decide if the security risks surfaced must be fixed immediately. Teams can avoid this by telling engineers they can only switch tasks once security tests are complete, but that impacts development velocity.
One solution is to identify changes in the code base and run tests only on the deltas to ensure no new vulnerabilities are added. This works well, but typically requires the enterprise to dedicate a large number of engineering hours to develop that technology around its existing security tooling. Another solution is to tune down security testing tools to increase speed and reduce the number of alerts they produce. With fewer alerts, developers are more likely to fix them, but other vulnerabilities are making their way into production.
Microservices are the modern alternative to large code bases. With this approach, enterprises own hundreds or thousands of code repositories. Ensuring that security tools are configured for every single repository or CI/CD pipeline is challenging, which is where DevSecOps comes in. Organizations have entire teams dedicated to ensuring all new code is checked for security, but putting those guardrails in place doesn't happen overnight. And even with them in place, teams still need to worry about shadow IT — or bypassing proper channels for the sake of speed or getting a system back online — which has existed as long as security.
Limitation 2: Business Context
Business context is crucial in security, and one of the major considerations are false positives. A false positive is a security finding that, upon further investigation, is deemed not to actually pose a risk to the business. These ruin the trust between security and development teams.
But even if we assume all of our security findings are true findings, how do we prioritize which to fix and which to fix first? As it stands, organizations often use the Common Vulnerability Scoring System (CVSS), which gives a way to quantitatively measure risk but misses the bigger picture of the application. Most practitioners agree that using the application's architecture is a better way to prioritize risk, but it can be very hard to quantify.
If you can look at the architecture — its dependencies, data flows, business context, sensitivity of data, the blast radius of a breach — you can create a clearer picture of what needs to be prioritized by security and development teams. Then you can secure stakeholder buy-in by showing the vulnerabilities in business terms rather than an arbitrary list of CVSS scores.
The reason this is challenging in shift left is that code development is removed from the larger application that security tools aren't able to see a vulnerability and correlate it to where it lies within an application and the business at large. That lack of visibility is a key limitation of the shift left approach.
Limitation 3: Production vs Pre-Production
Shifting left focuses on pre-production, the environments where code is developed and tested. It's true that vulnerabilities are easier to fix early in the pipeline, so it definitely has its benefits, but it's impossible to measure the full risk in pre-production.
For example, why are security operation centers and SIEM tools focused on what's happening to their running applications? Because threat actors are attacking where there are valuable business assets and data: the production environments. If we can figure out which microservices are important, we can target those with our shift left tools. This works well for small businesses, who can focus on things like payment processors, but it tends to fall apart for large enterprises struggling to document where code lives, which code is live in production, and how that production environment is changing over time.
Without an application inventory and understanding of what is live today, it's difficult to prioritize what's impacting the business. Plus, applications morph as code compiles. When you shift left and focus on source code, you're ignoring things like configuration files and command line arguments that actually add or remove mitigating controls for an application through deployment. The way that you're prioritizing risk could become moot by the time the code reaches production.
In conclusion, it is imperative that organizations understand the limitations of shifting left, from test coverage to business context to the difference between production and pre-production environments. These considerations are important when designing an application security strategy and creating a comprehensive security program.
Industry News
Sauce Labs announced the general availability of iOS 18 testing on its Virtual Device Cloud (VDC).
Infragistics announced the launch of Infragistics Ultimate 25.1, the company's flagship UX and UI product.
CIQ announced the creation of its Open Source Program Office (OSPO).
Check Point® Software Technologies Ltd.(link is external) announced the launch of its next generation Quantum(link is external) Smart-1 Management Appliances, delivering 2X increase in managed gateways and up to 70% higher log rate, with AI-powered security tools designed to meet the demands of hybrid enterprises.
Salesforce and Informatica have entered into an agreement for Salesforce to acquire Informatica.
Red Hat and Google Cloud announced an expanded collaboration to advance AI for enterprise applications by uniting Red Hat’s open source technologies with Google Cloud’s purpose-built infrastructure and Google’s family of open models, Gemma.
Mirantis announced Mirantis k0rdent Enterprise and Mirantis k0rdent Virtualization, unifying infrastructure for AI, containerized, and VM-based workloads through a Kubernetes-native model, streamlining operations for high-performance AI pipelines, modern microservices, and legacy applications alike.
Snyk launched the Snyk AI Trust Platform, an AI-native agentic platform specifically built to secure and govern software development in the AI Era.
Bit Cloud announced the general availability of Hope AI, its new AI-powered development agent that enables professional developers and organizations to build, share, deploy, and maintain complex applications using natural language prompts, specifications and design files.
AI-fueled attacks and hyperconnected IT environments have made threat exposure one of the most urgent cybersecurity challenges facing enterprises today. In response, Check Point® Software Technologies Ltd.(link is external) announced a definitive agreement to acquire Veriti Cybersecurity, the first fully automated, multi-vendor pre-emptive threat exposure and mitigation platform.
LambdaTest announced the launch of its Automation MCP Server, a solution designed to simplify and accelerate the process of triaging test failures.
DefectDojo announced the launch of their next-gen Security Operations Center (SOC) capabilities for DefectDojo Pro, which provides both SOC and AppSec professionals a unified platform for noise reduction and prioritization of SOC alerts and AppSec findings.
Check Point® Software Technologies Ltd.(link is external) has been recognized on Newsweek’s 2025 list of America’s Best Cybersecurity Companies(link is external).
Red Hat announced enhanced features to manage Red Hat Enterprise Linux.