A shift-left approach to security, where security teams insert security activities earlier in developer workflows, is not producing meaningful results for many organizations. This approach puts the onus of security management on developers without providing guidance or resources to support self-service. In contrast, a developer-first security program focuses on contextual injections of security designs into the environment, integrating into existing development workflows and solving real business problems. Such programs require significant cultural shifts within both engineering and security teams, aiming to provide a paved path for security that makes it easier for developers to deploy their pipelines while embedding security into the speed and scale of modern development team lifecycles.