Back to Blog
SecuritySeptember 18, 202512 min read

Shifting Security Left: How LLMs and Agentic Coding Finally Make It Possible

#security#llm#ai#development#devsecops#agentic-coding#shifting-left#mcp#context-aware

For over a decade, security professionals have preached the gospel of "shifting security left"—catching vulnerabilities earlier in the development lifecycle rather than waiting for production incidents. But let's be honest: until recently, this was more aspirational than practical.

Traditional security tools were either too slow, too noisy, or too disconnected from the developer workflow to make a real impact. Developers would run security scans, get overwhelmed by false positives, and eventually tune them out. Security teams would find themselves in a constant game of catch-up, discovering issues long after code had been written and deployed.

That's all changing now. With the advent of Large Language Models (LLMs) and agentic coding systems, we finally have the tools to make "shifting security left" not just possible, but practical and effective.

The Traditional Problem

Why Security Left Was Hard

The concept of shifting security left has always made sense in theory:

  1. Catch issues early when they're cheaper to fix
  2. Educate developers about security as they code
  3. Prevent vulnerabilities from entering the codebase
  4. Reduce the security team's burden of constant firefighting

But in practice, traditional approaches had fundamental limitations:

Static Analysis Tools

  • Generated too many false positives
  • Required specialized knowledge to configure properly
  • Often ran too late in the development process
  • Provided generic advice that didn't fit the specific context

Security Training

  • Happened in isolation from actual coding
  • Quickly forgotten when developers returned to their work
  • Rarely covered the specific technologies and patterns being used
  • Didn't adapt to new threats or vulnerabilities

Code Reviews

  • Relied on reviewers having security expertise
  • Inconsistent application across different teams
  • Often focused on functionality rather than security
  • Time-consuming and prone to human error

The LLM Revolution

What Makes LLMs Different

Large Language Models represent a fundamental shift in how we can approach security in development:

Contextual Understanding Unlike traditional tools that look for specific patterns, LLMs understand the broader context of what code is trying to accomplish. They can identify security issues that traditional static analysis would miss because they understand the intent behind the code.

Natural Language Interaction Developers can ask questions in plain English: "Is this authentication implementation secure?" or "How should I handle this user input?" The LLM can provide specific, actionable advice tailored to the exact code being written.

Continuous Learning LLMs can be updated with the latest security research, vulnerability databases, and best practices. They don't become outdated like traditional rule-based systems.

Integration with Development Workflow LLMs can be integrated directly into IDEs, code editors, and development environments, providing real-time security guidance as developers write code.

Agentic Coding: The Game Changer

What is Agentic Coding?

Agentic coding refers to AI systems that can not only provide suggestions but take autonomous actions to improve code quality and security. These systems can:

  • Automatically fix common security vulnerabilities
  • Suggest secure alternatives for problematic code patterns
  • Generate secure code templates based on requirements
  • Refactor code to follow security best practices
  • Create security tests to verify implementations

The Security Persona Approach

One of the most powerful applications of LLMs in security is the ability to create specialized "security personas" that can be embedded in every repository. These personas can:

Act as Security Consultants

  • Review code changes for security implications
  • Suggest secure coding patterns
  • Identify potential vulnerabilities before they're committed
  • Provide explanations for security recommendations

Enforce Security Policies

  • Ensure consistent application of security standards
  • Validate that security requirements are met
  • Check for compliance with security frameworks
  • Maintain security documentation

Educate Developers

  • Explain why certain practices are insecure
  • Provide examples of secure alternatives
  • Share relevant security resources
  • Adapt explanations to the developer's experience level

Real-World Implementation

Repository-Level Security Personas

Imagine every repository having a security persona that:

  1. Reviews every pull request for security issues
  2. Suggests secure coding patterns as developers type
  3. Validates security requirements are met
  4. Provides educational context for security decisions
  5. Maintains security documentation automatically

Example: Authentication Security Persona

Here's how a security persona might work in practice:

// Developer writes this code
const user = await User.findOne({ email: req.body.email });
if (user.password === req.body.password) {
  // Login successful
}

// Security persona immediately suggests:
// ⚠️ SECURITY ALERT: This authentication has several vulnerabilities:
// 1. Passwords should never be stored in plain text
// 2. Use bcrypt or similar for password hashing
// 3. Implement rate limiting to prevent brute force attacks
// 4. Add proper error handling to prevent user enumeration
// 
// Here's a secure implementation:
const bcrypt = require('bcrypt');
const user = await User.findOne({ email: req.body.email });
if (user && await bcrypt.compare(req.body.password, user.passwordHash)) {
  // Login successful
}

Continuous Security Guidance

The security persona doesn't just catch issues—it provides ongoing guidance:

  • Explains security concepts in the context of the current code
  • Suggests security libraries and frameworks
  • Identifies dependencies with known vulnerabilities
  • Recommends security testing strategies
  • Maintains security checklists for different types of features

The Technical Implementation

MCP: The Missing Piece for Context-Aware Security

One of the most powerful enhancements to security personas comes from the Model Context Protocol (MCP). MCP allows LLMs to pull in real-time context from external systems, dramatically improving the quality and accuracy of security decisions.

What is MCP? MCP is a protocol that enables LLMs to access external data sources and tools in real-time. Instead of relying solely on the code in front of them, security personas can now pull in:

  • Jira tickets with security requirements and known issues
  • Architecture documentation showing how components interact
  • Environment configurations revealing deployment contexts
  • Threat intelligence feeds with latest vulnerability data
  • Compliance frameworks and regulatory requirements
  • Previous security incidents and their resolutions

Enhanced Security Context

Here's how MCP transforms security decision-making:

// Without MCP: Generic security advice
// Security persona sees only this code:
const user = await User.findOne({ email: req.body.email });

// Generic response: "Consider input validation"

// With MCP: Context-aware security guidance
// Security persona pulls in:
// - Jira ticket: "SEC-1234: Implement OWASP Top 10 compliance"
// - Architecture doc: "This service handles PII data in EU region"
// - Previous incident: "SEC-5678: SQL injection in user lookup (resolved)"

// Context-aware response:
// ⚠️ CRITICAL: This user lookup handles PII in EU region
// Based on SEC-1234 and previous incident SEC-5678:
// 1. Implement parameterized queries (GDPR compliance)
// 2. Add input validation for email format
// 3. Consider rate limiting (previous SQL injection attack)
// 4. Log access for audit trail (EU data protection)

MCP Integration Examples

Jira Integration

# Security Persona with Jira MCP

## Context Sources
- Pull security requirements from Jira tickets
- Check for related security issues
- Validate against compliance tickets
- Reference previous security incidents

## Enhanced Prompts
- "Review this code against security requirements in Jira"
- "Check if this change addresses any open security tickets"
- "Validate compliance with tickets tagged 'security'"

Architecture Documentation

# Security Persona with Architecture MCP

## Context Sources
- System architecture diagrams
- Component interaction maps
- Data flow documentation
- Security boundary definitions

## Enhanced Analysis
- Understand data flow through the system
- Identify security boundaries and trust zones
- Consider cross-component security implications
- Validate against architectural security patterns

Environment Context

# Security Persona with Environment MCP

## Context Sources
- Deployment configurations
- Environment-specific security policies
- Network topology information
- Infrastructure security settings

## Enhanced Guidance
- Provide environment-specific security recommendations
- Consider deployment context (dev/staging/prod)
- Account for infrastructure security controls
- Validate against environment-specific compliance requirements

LLM Directives and Prompts

The key to effective security personas is well-crafted prompts and directives that can be embedded in every repository:

# Security Persona Configuration

## Role
You are a senior security engineer reviewing code for security vulnerabilities and best practices.

## Responsibilities
- Identify security vulnerabilities in code
- Suggest secure coding patterns
- Explain security concepts clearly
- Provide actionable recommendations
- Maintain awareness of latest security threats

## Security Focus Areas
- Authentication and authorization
- Input validation and sanitization
- Data encryption and storage
- API security
- Dependency management
- Error handling and logging
- Configuration security

## Response Format
- Start with severity level (Critical/High/Medium/Low)
- Explain the security issue clearly
- Provide secure code examples
- Include relevant resources for learning

Integration Points

Security personas can be integrated at multiple points in the development lifecycle:

IDE Integration

  • Real-time security suggestions as developers type
  • Inline security warnings and recommendations
  • Automatic code completion with security considerations

Git Hooks

  • Pre-commit security validation
  • Automatic security scanning of changed files
  • Blocking commits that introduce critical vulnerabilities

CI/CD Pipeline

  • Automated security testing
  • Security persona review of pull requests
  • Integration with security scanning tools

Code Review Process

  • Security persona as a reviewer on every PR
  • Automated security comments and suggestions
  • Integration with human reviewers

The Impact: Measurable Results

Before LLM Integration

  • Security issues discovered: 2-3 weeks after code was written
  • Fix cost: 10-100x more expensive than prevention
  • Developer security knowledge: Limited and inconsistent
  • Security team workload: Constant firefighting mode
  • Vulnerability remediation time: 30-90 days average

After LLM Integration

  • Security issues discovered: At the moment of code creation
  • Fix cost: Minimal (often just accepting AI suggestions)
  • Developer security knowledge: Continuously improving through contextual education
  • Security team workload: Focused on high-level strategy and complex issues
  • Vulnerability remediation time: Immediate (prevented before commit)

Challenges and Considerations

Not a Silver Bullet

While LLMs and agentic coding are powerful tools, they're not perfect:

False Positives and Negatives

  • LLMs can still generate incorrect security advice
  • Need human oversight for complex security decisions
  • Regular validation and updating of security personas required

Context Limitations

  • LLMs may not understand all business context
  • Some security decisions require domain-specific knowledge
  • Need to balance security with functionality and usability

Dependency on Quality Prompts

  • Security personas are only as good as their configuration
  • Need regular updates based on new threats and vulnerabilities
  • Requires security expertise to maintain and improve

Implementation Strategy

Start Small

  • Begin with high-risk areas (authentication, input validation)
  • Focus on common vulnerabilities (OWASP Top 10)
  • Gradually expand to cover more security domains

Iterate and Improve

  • Monitor the effectiveness of security personas
  • Collect feedback from developers
  • Continuously refine prompts and directives
  • Stay updated with latest security research

Maintain Human Oversight

  • Security personas complement, don't replace, human expertise
  • Regular review of AI recommendations
  • Human security experts for complex decisions
  • Continuous training and improvement of the system

The Future of Security in Development

What's Next

The integration of LLMs and agentic coding in security is just beginning. We're likely to see:

More Sophisticated Security Personas

  • Specialized personas for different types of applications
  • Industry-specific security guidance
  • Integration with threat intelligence feeds
  • Automated security policy updates

Better Integration with Development Tools

  • Native IDE support for security personas
  • Seamless integration with existing development workflows
  • Real-time collaboration between developers and security AI

Advanced Security Automation

  • Automatic remediation of common vulnerabilities
  • Proactive security testing and validation
  • Automated security documentation generation
  • Integration with compliance frameworks

The Paradigm Shift

We're witnessing a fundamental shift in how security is integrated into software development. Instead of security being a separate concern that developers need to remember, it's becoming an integral part of the development process itself.

Developers are no longer expected to be security experts, but they have access to security expertise through AI-powered tools that understand their code and can provide contextual, actionable guidance.

Security teams are no longer in constant firefighting mode, but can focus on strategic security initiatives, threat modeling, and complex security challenges that require human expertise.

Getting Started

For Development Teams

  1. Choose your LLM platform (GitHub Copilot, Cursor, or custom solutions)
  2. Set up MCP connections to your key systems (Jira, Confluence, architecture docs)
  3. Define security personas for your specific technology stack
  4. Create security prompts and directives tailored to your needs
  5. Integrate with your development workflow (IDEs, git hooks, CI/CD)
  6. Start with high-risk areas and gradually expand coverage
  7. Monitor and iterate based on results and feedback

For Security Teams

  1. Develop security personas that reflect your organization's security policies
  2. Set up MCP integrations with your security tools and documentation systems
  3. Create comprehensive security prompts covering your key risk areas
  4. Train developers on how to work with security personas
  5. Monitor AI recommendations for accuracy and effectiveness
  6. Continuously update security guidance based on new threats
  7. Measure impact on security posture and developer productivity

Conclusion

The promise of "shifting security left" is finally becoming reality. With LLMs and agentic coding, we can embed security expertise directly into the development process, catching vulnerabilities at the moment of creation and educating developers continuously.

This isn't about replacing human security expertise—it's about making that expertise available to every developer, in every repository, at the exact moment they need it.

The future of secure software development isn't about having more security tools; it's about having smarter, more integrated security guidance that helps developers build secure software by default.

Are you already using LLMs for security in your development process? I'd love to hear about your experiences and what's working (or not working) for your team.

Enjoyed this article? Check out more of my thoughts on startups and technology.

View All Posts