As application security professionals we are commonly coming up with new approaches to help secure our systems. However, in the new fast-paced development world application security is often an afterthought, or at the very least, introduced late into the release process. Performing yearly assessments and delivering antiquated PDF reports have been viewed as a bottlenecks in the software delivery pipeline - a major impediment to high velocity Agile and DevOps processes. This has caused discontent between development and security teams, but that does not need to be the case any longer. By embracing DevSecOps, teams can apply modern application security to weave security directly into the code, unite developers and security practitioners, and ultimately deliver secure code, faster. As a part of our solution, instead of "shifting left" we will discuss how teams can utilize a “shift out” approach to level out their work. Utilizing both “shift left” and “shift right” methods, this talk will examine how a “shift out” perspective can actually solve many of the issues we are dealing with. In this talk David will explore different mechanisms for shifting out enabling us to write secure code faster by using secure frameworks, process and testing automation, threat intelligence, vulnerability deferment, third party SCA, and speed to focus on the things that really matter. There are many ways to make this work in your organization and the takeaways from this talk should help you build secure software faster.
- Why shifting left is not the ultimate solution
- How combining the security strengths of frameworks, power of automation, data curated through threat intelligence, and development speed to produce a solid security plan for your applications
- How to kill certain vulnerability classes completely by enabling developers to be the security experts
- How to get away from the traditional "yearly review" cycle, and better understand your security posture at any point in time
- Why collaboration between teams is important
Technical Level: Medium