As application security professionals we are commonly coming up with new approaches to help secure our systems. However, in the new fast-paced development world application security is often an afterthought, or at the very least, introduced late into the release process. Performing yearly assessments and delivering antiquated PDF reports have been viewed as a bottlenecks in the software delivery pipeline - a major impediment to high velocity Agile and DevOps processes. This has caused discontent between development and security teams, but that does not need to be the case any longer. By embracing DevSecOps, teams can apply modern application security to weave security directly into the code, unite developers and security practitioners, and ultimately deliver secure code, faster. As a part of our solution, instead of "shifting left" we will discuss how teams can utilize a “shift out” approach to level out their work. Utilizing both “shift left” and “shift right” methods, this talk will examine how a “shift out” perspective can actually solve many of the issues we are dealing with. In this talk David will explore different mechanisms for shifting out enabling us to write secure code faster by using secure frameworks, process and testing automation, threat intelligence, vulnerability deferment, third party SCA, and speed to focus on the things that really matter. There are many ways to make this work in your organization and the takeaways from this talk should help you build secure software faster.
Technical Level: Medium