Threat Vector Podcast: "Shifting Security Left"

Date: October 23, 2025
Host: David (Palo Alto Networks, N2K Networks)
Guests:

• Sri Tajir – VP, Product Management, Palo Alto Networks
• Krithi Vasan – Senior Director of Product Security, Palo Alto Networks

Episode Overview

This episode focuses on the evolving landscape of application security, particularly in the age of AI. The discussion centers around how shifting security left—embedding security earlier in the development lifecycle—transforms both risk management and developer experience. The guests, leaders in product management and AI security, share methods for proactively integrating robust security into DevSecOps, address challenges like overwhelming security backlogs, and explore the impacts and risks of AI-powered code generation.

Key Discussion Points & Insights

1. From Reactive to Prevention-First Security

• Shifting Left, Not Just Scanning Late
  • Historically, vulnerabilities were discovered after code was built or in production, resulting in slow, inefficient fixes.
  • Sri Tajir: “If problems arrive to production and you try to fix them after they are in production, you usually meet a developer like three months after he actually wrote the code and he may not remember what he wanted to write there.” (07:35)
  • Proactive security in the IDE or during code commits allows for faster, more accurate remediation.
• Feedback Loops Matter
  • Early interventions allow developers to learn and act at the point of mistake—leading to fewer repeated mistakes and better outcomes.

2. Culture & Strategy: Aligning Speed with Security

• Balancing Developer Velocity and Security
  • There is anxiety over blocking developer velocity. Overwhelming security issues can paralyze pipelines.
  • Sri Tajir: “The first step should be...let’s first stop all the new stuff from coming and then try to see how gradually we can also fix some of the backlog and some of the technical debt.” (13:07)
• Making Backlog Reduction Strategic, Not Just Tactical
  • Frame vulnerability remediation in terms of business risk, such as potential loss of customer trust or competitive disadvantage.
  • Krithi Vasan: “Frame a security vulnerability to a business executive, we need to talk to their language, translate vulnerabilities into a business risk.” (15:30)
  • Not every vulnerability is equal; frameworks help prioritize which issues matter most.

3. Automation, Tooling, & Developer Empowerment

• Automate Security Throughout SDLC
  • Automating detection and remediation in source code management and CI/CD pipelines helps shift security left without adding friction.
  • Krithi Vasan: "TLDR is Automate, automate, automate as part of the SDLC.” (19:50)
• Empowering Developers
  • Providing “golden templates,” secure base images, and real-time visibility makes security a natural extension of development, not an afterthought.
  • Ownership is clarified and enhances productivity.

4. ASPM & Context-Aware Prioritization

• What is ASPM?
  • Application Security Posture Management (ASPM) leverages context: environment, risk exposure, and data sensitivity to prioritize fixes.
  • Sri Tajir: “We take the prioritization from everything, all the signals we have within the system...we know exactly where the container or the VM is residing, whether it’s a production environment or a development environment, whether it has access to the Internet or not, whether it contains sensitive data.” (20:09)
  • This context allows teams to focus remediation efforts where risk is highest.

5. The Massive Impact—and Challenge—of AI on Code Security

• AI = Turbocharged Code Velocity + New Risks
  • AI is rewriting code at 10x speed, shifting both knowledge and accountability away from individual developers to both machines and humans.
  • Sri Tajir: “It’s not just a shift in responsibility, it’s also a shift in knowledge...now that an agent did it, this is kind of a surprising one.” (22:25)
• New Attack Surfaces
  • AI-based workflows introduce risks: data poisoning, prompt injection, and model inversion attacks.
  • There are also new supply chain risks, such as MCPS servers not vetted by security teams.
• AI-Generated Code Weaknesses
  • Krithi Vasan: “Most of the times we have seen input validation missing, weak access control, hard coded credentials.” (26:38)
  • AI tools may hallucinate, introducing dependencies on non-existent or vulnerable packages (typosquatting risks).
• The Need for AI Security Training
  • AI tools are so embedded, staff training beyond classic security awareness is necessary.

6. Economics of Security: The Real Cost of Late Fixes

• Fixing in Production Is 100x More Expensive

  • Yet orgs tolerate this due to fear of blocking business progress.
  • Fragmented ownership and delayed feedback lead to waste.
  • Sri Tajir: “Today, developers spend a lot of time on security problems that come from production and again, they are the end of the chain.” (28:08)

• Security Enables Speed

  • Security should be positioned as a way to speed new features, not as a blocker.
  • Krithi Vasan: “By integrating security early and addressing vulnerabilities ahead of time, you save X numbers of developers time to go actually develop new features...” (30:17)

7. Building Security Champions for Cultural Change

• Scaling Security Inside Development
  • Identify and empower engineering team members who are passionate about security—turn them into advocates and trainers.
  • Krithi Vasan: “Identify them, reward them, give them visibility, empower them with tools and then train the trainer, make them your wise eyes and ears.” (31:46)

Notable Quotes & Memorable Moments

• “Developers and application security will [not] live ever after, but at least they will like each other.”
  — Sri Tajir (02:46)
• “You need AI to defeat AI-based attacks.”
  — Krithi Vasan (04:58)
• “Shift left is not only security, it’s actually giving the power back to the developers to actually address these security vulnerabilities ahead of time.”
  — Krithi Vasan (30:17)
• “Automate, automate, automate as part of the SDLC.”
  — Krithi Vasan (19:50)

Key Timestamps

• [02:46] Sri’s journey and mission in application security
• [04:58] Krithi on how AI is a force multiplier—both attacker and defender
• [07:35] Why prevention is better than fixing post-production
• [11:04] Real-time AppSec: Automate and empower developers
• [13:07] The burden of security backlogs and how to prioritize
• [15:30] Translating security risk into business language
• [18:39] Automating proactive security processes
• [20:09] ASPM and context-aware risk prioritization
• [22:25] Unique AI risks—code velocity and responsibility shift
• [26:38] Common, overlooked vulnerabilities in AI-generated code
• [28:08] Economic inefficiency: Why late fixes are 100x costlier
• [30:17] Security as a speed enabler, not a blocker
• [31:46] Building and empowering security champions inside dev teams

Tone & Language

The conversation is practical, energetic, and rooted in lived experience from high-level leaders. The language is clear, with technical depth but accessible framing, focused on enabling listeners to take actionable lessons into their organizations.

Conclusion

This episode underscores the urgent need to rethink application security in the face of AI's transformative impact on development. Prevention-first approaches, automation, and a culture of empowered, security-aware developers are key themes. By combining product innovation, process maturity, and contextual prioritization, orgs can meet the demands of speed and resilience in today's threat landscape.