Isaac Evans

Simple Steps to Kill DevSec without Giving Up on Security

The 'shift left' movement has largely failed. Learn how to build effective security guardrails that your developers won't ignore.

Simple Steps to Kill DevSec without Giving Up on Security
#1about 5 minutes

The corrosive effect of false positives in security tools

Traditional code scanners overwhelm developers with a high rate of false positives, eroding trust and causing important alerts to be ignored.

#2about 1 minute

Why the original "shift left" security movement failed

The shift left movement often failed because it simply redirected a high-noise firehose of security alerts from security teams to developers without improving signal quality.

#3about 1 minute

How Android and iOS successfully hardened their platforms

The significant increase in the market price for zero-day exploits for Android and iOS demonstrates their success in making software more expensive to hack.

#4about 6 minutes

Adopting a secure guardrails over security gates mindset

Effective security programs use secure guardrails, like providing secure defaults and actionable fixes, to guide developers without blocking their workflow.

#5about 3 minutes

Prioritize securing new code over fixing the backlog

Since vulnerabilities are exponentially more likely to be found in new code, focusing security efforts there provides a greater return than trying to fix the entire existing backlog.

#6about 3 minutes

The ROI of basic security training and securing LLMs

Elevating developers to a basic level of security awareness yields the largest reduction in vulnerabilities, a principle that now extends to securing code generated by LLMs.

#7about 3 minutes

A practical formula for an effective AppSec program

An application security program's effectiveness is a product of its components, where a poor signal-to-noise ratio can nullify all other efforts.

Related jobs
Jobs that call for the skills explored in this talk.

Job ad Dark

SabIna compys

SabIna compys
Vienna, Austria

Remote
20-100K
Intermediate
JavaScript
.NET
+1

Matching moments

Shifting security testing left in the development lifecycle
01:33 MIN

Shifting security testing left in the development lifecycle

Vue3 practical development

The modern DevSecOps approach to application security
04:29 MIN

The modern DevSecOps approach to application security

Maturity assessment for technicians or how I learned to love OWASP SAMM

Scaling AppSec teams by empowering developers
03:15 MIN

Scaling AppSec teams by empowering developers

Why Security-First Development Helps You Ship Better Software Faster

How to shift left with a security champions program
08:08 MIN

How to shift left with a security champions program

Stranger Danger: Your Java Attack Surface Just Got Bigger

Shifting security left with collaborative threat modeling
03:08 MIN

Shifting security left with collaborative threat modeling

We adopted DevOps and are Cloud-native, Now What?

Balancing developer and stakeholder security priorities
04:25 MIN

Balancing developer and stakeholder security priorities

What The Hack is Web App Sec?

Addressing developer friction in application security
00:45 MIN

Addressing developer friction in application security

Get security done: streamlining application security with Aikido

Why developers make basic cybersecurity mistakes
02:26 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Featured Partners

Related Videos

See all videos
Why Security-First Development Helps You Ship Better Software Faster22:18

Why Security-First Development Helps You Ship Better Software Faster

Michael Wildpaner

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together23:34

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together

Stefania Chaplin

Get security done: streamlining application security with Aikido08:27

Get security done: streamlining application security with Aikido

Mia Neethling

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

Building Security Champions48:02

Building Security Champions

Tanya Janca

Great DevEx and Regulatory Compliance - Possible?23:26

Great DevEx and Regulatory Compliance - Possible?

Martin Reynolds

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
CH
Chris Heilmann
Dev Digest 134 - Where pixels sing?
News and ArticlesWeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to t...
Dev Digest 134 - Where pixels sing?
Dev Digest 105 - Security First
Last Friday's Dev Digest was mostly about security and game topics, so let's take a look what you didn't get in your inbox. We also covered some brand new online courses to get started as a developer or refresh your knowledge. And we wrapped up CODE1...
Dev Digest 105 - Security First

From learning to earning

Jobs that call for the skills explored in this talk.

CISO

CISO

Secura Knowledge Groups