A security architect is explaining to a delivery manager why the organisation is moving from a quality gate at the end of the release pipeline to embedding security activities throughout each SDLC phase. Which statement BEST captures the underlying principle of this shift-left approach?
- AIdentifying security defects in the phase that introduced them lowers remediation cost and prevents flawed assumptions from propagating into later phases. Correct
- BConcentrating security review at the release gate is preferable because defects can be triaged once the system is feature-complete and behaviour is stable.
- CRunning automated penetration testing against production replicas is the most efficient way to remove vulnerabilities before customers see them.
- DOutsourcing security testing to an independent third party removes bias and provides a defensible assurance artefact for auditors.
Why A is correct: This is the canonical rationale for shift-left: defect-removal economics worsen the further a flaw travels, and design-level errors found in coding or testing are expensive to unwind. Embedding requirements, threat modelling, and secure coding reviews in each phase contains that cost.
Why B is wrong: This describes the legacy waterfall posture the team is moving away from. Late discovery raises remediation cost and forces risk-based exceptions to meet release dates, which is exactly the failure shift-left is meant to address.
Why C is wrong: Pen testing against a production-like environment is valuable, but it happens late and finds only what survives earlier phases. It is a verification activity, not the principle that drives integrating security across the SDLC.
Why D is wrong: Independent assessment supports assurance but does not address when in the lifecycle security is considered. A late third-party test still inherits the cost curve that shift-left is intended to flatten.