There seems to be a general agreement that when it comes to implementing security in the software development lifecycle (SDLC), the sooner you do it the better. After all, the speed of software releases, the use of cloud-based services, the incorporation of automation into the software development process, and the rate of innovation in the development toolchain are all trends that erode app security.

This strategy of implementing security sooner in the SDLC has come to be known by the moniker “shift left”. Shift left cybersecurity refers to “moving security to the earliest possible point in the development process, embedding security into the earliest phases of the application development process, where vulnerable code is identified. The idea is that the sooner security code and policy can be implemented in the development process, the less it costs.

According to Forbes, shift left concepts will become more important as the cloud world focuses on building applications that can run anywhere, on any cloud or platform.

Since the advent of agile development, the SDLC has been more of a repeating circle than a straight line. So, technically, the idea is to shift counterclockwise, but the theory still holds.

Once you commit to shifting left, you’re left with the question of how to do it. One option for shifting left is to integrate threat modeling early into the SDLC. There are other options as well, like static application security testing (SAST).

In a perfect world, you integrate some sort of security check early in the application development process. But what if you can’t? What if the application is already deployed in the cloud somewhere? How do you shift left then?

Shifting Left in the Cloud

There aren’t a lot of options for shifting left once an application is live in the cloud. You might think that a cloud security posture management (CSPM) tool would do the trick. But they don’t quite do it.

CSPMs look at your cloud resources to understand if the configuration meets the policies. And while that certainly provides some security value, that doesn’t ensure a secure application.

Whatever it is, it would have to have the ability to assess the live cloud infrastructure. Something that could reverse engineer your cloud setup as a way of shifting left. Does such a capability exist? As things turn out, it does and it’s called CloudModeler.

CloudModeler, by ThreatModeler, assesses the live cloud infrastructure in a matter of minutes and generates a threat modeling diagram from the gathered information. This includes generating a list of security requirements and highlighting the ones that have not yet been addressed.

With this capability, it’s as if you threat modeled the application before it was deployed. In other words, you shifted your security left for an application that is already up and running. That’s a pretty unique capability. And with CloudModeler, it doesn’t just generate a threat model once. It continues to assess the cloud infrastructure and updates the threat model every time there is a change. That’s shifting left in real-time.

If you’d like to learn more about CloudModeler, you can contact ThreatModeler here.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >