嗯,用户让我总结一篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我需要理解文章的内容。文章主要讨论了“左移”安全策略在实际应用中的问题。作者认为,虽然理论上左移安全很好,但在实践中,开发人员每天都要处理大量的安全警报,导致工作效率低下。 接下来,我要提取关键点:左移安全导致开发人员频繁处理警报,认知负荷大;作者质疑这是否真正解决问题还是只是转移问题;建议应更注重将安全知识传递给开发人员,而不仅仅是工具的使用。 然后,我需要将这些要点浓缩成一句话,不超过一百字。可能的结构是:左移安全在实践中带来的问题以及作者的建议。 最后,检查语言是否简洁明了,确保符合用户的要求。 </think> 文章探讨了"左移"安全策略在实际开发中的挑战与效果。虽然理论上通过早期发现安全问题可减少风险,但实践中却导致开发人员频繁处理警报,分散注意力,增加认知负担。作者质疑当前"左移"是否真正解决问题,并建议应更注重将安全知识传递给开发者,而非仅依赖工具扫描。 2026-3-30 15:35:45 Author: www.reddit.com(查看原文) 阅读量:2 收藏
the whole "shift left" thing in security has always felt kind of abstract to me
like yeah, we get it, find problems earlier in the development process instead of right before production
but what does that actually look like day to day?
because most of the time when security teams say "shift left" what they really mean is "run more scanners in CI"
and suddenly developers are dealing with security alerts at every commit, every PR, every build
which sounds good in theory but in practice it just means you're context switching from writing features to triaging security findings all day long
the cognitive load is brutal. you're trying to implement a new API endpoint and suddenly you're researching whether a dependency vulnerability actually affects your use case, or why your SAST tool thinks your input validation is insufficient
i've been wondering if "shift left" as it's usually implemented just moves the problem instead of solving it
like instead of security being a gate at the end, it becomes constant interruptions throughout development
maybe the real shift left isn't about when security tools run, but about when security knowledge gets transferred to developers?
like instead of "here's 15 new alerts to investigate" it's "here's why this pattern is risky and here's the safe way to do it"
how do other teams handle this? does shift left security actually make development smoother where you work, or does it just spread the friction across more touchpoints?the whole "shift left" thing in security has always felt kind of abstract to me
like yeah, we get it, find problems earlier in the development process instead of right before production
but what does that actually look like day to day?
because most of the time when security teams say "shift left" what they really mean is "run more scanners in CI"
and suddenly developers are dealing with security alerts at every commit, every PR, every build
which sounds good in theory but in practice it just means you're context switching from writing features to triaging security findings all day long
the cognitive load is brutal. you're trying to implement a new API endpoint and suddenly you're researching whether a dependency vulnerability actually affects your use case, or why your SAST tool thinks your input validation is insufficient
i've been wondering if "shift left" as it's usually implemented just moves the problem instead of solving it
like instead of security being a gate at the end, it becomes constant interruptions throughout development
maybe the real shift left isn't about when security tools run, but about when security knowledge gets transferred to developers?
like instead of "here's 15 new alerts to investigate" it's "here's why this pattern is risky and here's the safe way to do it"
how do other teams handle this? does shift left security actually make development smoother where you work, or does it just spread the friction across more touchpoints?
如有侵权请联系:admin#unsafe.sh