Isaac Evans

Simple Steps to Kill DevSec without Giving Up on Security

The 'shift left' movement has largely failed. Learn how to build effective security guardrails that your developers won't ignore.

Simple Steps to Kill DevSec without Giving Up on Security
#1about 5 minutes

The corrosive effect of false positives in security tools

Traditional code scanners overwhelm developers with a high rate of false positives, eroding trust and causing important alerts to be ignored.

#2about 1 minute

Why the original "shift left" security movement failed

The shift left movement often failed because it simply redirected a high-noise firehose of security alerts from security teams to developers without improving signal quality.

#3about 1 minute

How Android and iOS successfully hardened their platforms

The significant increase in the market price for zero-day exploits for Android and iOS demonstrates their success in making software more expensive to hack.

#4about 6 minutes

Adopting a secure guardrails over security gates mindset

Effective security programs use secure guardrails, like providing secure defaults and actionable fixes, to guide developers without blocking their workflow.

#5about 3 minutes

Prioritize securing new code over fixing the backlog

Since vulnerabilities are exponentially more likely to be found in new code, focusing security efforts there provides a greater return than trying to fix the entire existing backlog.

#6about 3 minutes

The ROI of basic security training and securing LLMs

Elevating developers to a basic level of security awareness yields the largest reduction in vulnerabilities, a principle that now extends to securing code generated by LLMs.

#7about 3 minutes

A practical formula for an effective AppSec program

An application security program's effectiveness is a product of its components, where a poor signal-to-noise ratio can nullify all other efforts.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

Using AI to overcome challenges in systems programming
02:49 MIN

Using AI to overcome challenges in systems programming

AI in the Open and in Browsers - Tarek Ziadé

Organizing a developer conference for 15,000 attendees
01:32 MIN

Organizing a developer conference for 15,000 attendees

Cat Herding with Lions and Tigers - Christian Heilmann

Building trust through honest developer advocacy
02:48 MIN

Building trust through honest developer advocacy

Devs vs. Marketers, COBOL and Copilot, Make Live Coding Easy and more - The Best of LIVE 2025 - Part 3

Creating psychological safety as the foundation for performance
03:12 MIN

Creating psychological safety as the foundation for performance

Sustainable High Performance: Build It or Pay the Price

Featured Partners

Related Videos

See all videos
Why Security-First Development Helps You Ship Better Software Faster22:18

Why Security-First Development Helps You Ship Better Software Faster

Michael Wildpaner

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together23:34

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together

Stefania Chaplin

Get security done: streamlining application security with Aikido08:27

Get security done: streamlining application security with Aikido

Mia Neethling

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Great DevEx and Regulatory Compliance - Possible?23:26

Great DevEx and Regulatory Compliance - Possible?

Martin Reynolds

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 196: AI Killed DevOps, LLM Political Bias & AI Security
Inside last week’s Dev Digest 196 . ⚖️ Political bias in LLMs 🫣 AI written code causes 1 in 5 security breaches 🖼️ Is there a limit to alternative text on images? 📝 CodeWiki - understand code better 🟨 Long tasks in JavaScript 👻 Scare yourself into n...
Dev Digest 196: AI Killed DevOps, LLM Political Bias & AI Security

From learning to earning

Jobs that call for the skills explored in this talk.