Four practices that define shift-left security:

1. Security in design, not just review — Security engineers provide input during design phase, not just a thumbs-up/down at the end. Threat modeling happens when architecture decisions are being made, when changes are cheap. By the time code is written, the security-critical decisions are already sound.

1. Automated security testing in CI/CD — Static Application Security Testing (SAST) scans code for vulnerabilities on every commit. Dynamic Application Security Testing (DAST) tests running applications. Dependency scanning catches known vulnerabilities in third-party packages. These run automatically — no human bottleneck.

1. Embedded security engineers — Security people sit with delivery teams, not in a separate silo. They understand the product context, build relationships, and provide real-time guidance. This replaces the "throw it over the wall for security review" anti-pattern.

1. Pre-approved, hardened libraries and frameworks — Security teams curate blessed toolkits: authentication libraries, encryption utilities, input validation frameworks. Teams can use these without separate security approval, removing friction while maintaining standards. Security shifts from gatekeeping to enabling.

The economics are clear: a vulnerability found in design costs 10x less to fix than one found in production. Shifting left is cheaper, faster, and more secure.