Pattern: devs build, security reviews late, files tickets, devs see blockers. Adversarial. Process is broken, not people.
Shift left properly
Not "more gates earlier." That moves the bottleneck.
- Enable, don't gate. Tools and knowledge to solve problems themselves.
- Automate easy stuff. SAST, dependency scanning in CI.
- Reserve humans for design. Threat modelling, architecture - not finding missing CSRF tokens.
What devs need
- Actionable guidance. Not "fix XSS." Say which variable, which function.
- Context-appropriate severity. If everything's high, devs ignore severity.
- Availability. Quick questions, quick answers.
What security needs
- Early visibility. Invite to design reviews for sensitive features.
- Honest responses. "Fix later" often means never. Accept risk explicitly.
Security champions
Developer on product team with security interest. Bridge, not replacement.
- Proximity to codebase and context
- Scale (20 champions > 5-person security team reviewing 200 devs)
- Peer advocacy received differently
Collaborative reviews
Bad: 40-page PDF two weeks after ship.
Good: Pair with dev. Walk through code together. Provide fix snippets. Agree on timelines. Follow up.
The takeaway
Early engagement, shared language, mutual empathy. Champions extend reach. Collaborative reviews build trust. Goal: fewer surprises, faster fixes, shared ownership.