Isaac Evans

Simple Steps to Kill DevSec without Giving Up on Security

The 'shift left' movement has largely failed. Learn how to build effective security guardrails that your developers won't ignore.

Simple Steps to Kill DevSec without Giving Up on Security
#1about 5 minutes

The corrosive effect of false positives in security tools

Traditional code scanners overwhelm developers with a high rate of false positives, eroding trust and causing important alerts to be ignored.

#2about 1 minute

Why the original "shift left" security movement failed

The shift left movement often failed because it simply redirected a high-noise firehose of security alerts from security teams to developers without improving signal quality.

#3about 1 minute

How Android and iOS successfully hardened their platforms

The significant increase in the market price for zero-day exploits for Android and iOS demonstrates their success in making software more expensive to hack.

#4about 6 minutes

Adopting a secure guardrails over security gates mindset

Effective security programs use secure guardrails, like providing secure defaults and actionable fixes, to guide developers without blocking their workflow.

#5about 3 minutes

Prioritize securing new code over fixing the backlog

Since vulnerabilities are exponentially more likely to be found in new code, focusing security efforts there provides a greater return than trying to fix the entire existing backlog.

#6about 3 minutes

The ROI of basic security training and securing LLMs

Elevating developers to a basic level of security awareness yields the largest reduction in vulnerabilities, a principle that now extends to securing code generated by LLMs.

#7about 3 minutes

A practical formula for an effective AppSec program

An application security program's effectiveness is a product of its components, where a poor signal-to-noise ratio can nullify all other efforts.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

Why Security-First Development Helps You Ship Better Software Faster22:18

Why Security-First Development Helps You Ship Better Software Faster

Michael Wildpaner

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together23:34

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together

Stefania Chaplin

Get security done: streamlining application security with Aikido08:27

Get security done: streamlining application security with Aikido

Mia Neethling

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

Empowering Developer Innovation - Balancing Speed, Security, and Scale28:30

Empowering Developer Innovation - Balancing Speed, Security, and Scale

Amir Friedman, Martin Reynolds, Yair Etziony

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Great DevEx and Regulatory Compliance - Possible?23:26

Great DevEx and Regulatory Compliance - Possible?

Martin Reynolds

From learning to earning

Jobs that call for the skills explored in this talk.