Don't Sh*t-Left: How to Actually Shift-Left

Name: Don't Sh*t-Left: How to Actually Shift-Left
Duration: 36 min
Description: Most "shift-left" security programs fail not because the concept is wrong, but because organizations mistake tool deployment for cultural change. Ahmad Sadeddin, founder and CEO of Corgea, argues that shift-left only works when it treats security as a developer experience problem — and that the rise of AI-assisted coding is expanding the attack surface faster than most appsec teams realize. ---

Ahmad Sadeddin

BSidesSF 2025 — Here Be Dragons · Day 2 · Main

Most "shift-left" security programs fail not because the concept is wrong, but because organizations mistake tool deployment for cultural change. Ahmad Sadeddin, founder and CEO of Corgea, argues that shift-left only works when it treats security as a developer experience problem — and that the rise of AI-assisted coding is expanding the attack surface faster than most appsec teams realize. ---

AI review

Solid operational critique of shift-left theater dressed up as a founder pitch. The vibe-coding attack surface angle is the one thing that saves it from being a rehash of 2019 DevSecOps blog posts. Nothing here will surprise anyone who's been running an appsec program for more than three years, but the framing is honest and the false-positive statistics are genuinely damning.

Watch on YouTube