Shift Security Left. No, More Left Than That

Presented by

David DeSanto - Senior Director, Product Management - Security at GitLab

About this talk

The “shift left” approach is not a new concept within software testing and DevOps best practices and it is commonly thought of when discussing DevSecOps. This usually includes security testing earlier in the software development lifecycle with the goal of identifying security vulnerabilities and weaknesses prior to shipping code to operations. However, “shift security left” is commonly interpreted to be “get developers to run security tools”. This approach is fraught with issues as it requires developers to context switch out of their workflow, learn and use new tools, understand the output of these new tools, and file bugs to be remediated (in yet another tool). The “shift left” approach requires a harder shift left, bringing security testing as close as possible to the developer while not expecting them to learn new tools. Furthermore, security results need to be contextual and provide actionable next steps so they can be resolved as quickly as possible. Finally, security scans need to finish in minutes, not in hours or days. A harder shift left empowers you and your organization as it applies repeatable, defensible processes that automate security and compliance policies from the first line of code written. In this session, we will discuss: • Common pitfalls when implementing traditional “shift left” security • How to best apply different security scanning techniques available • Embedding security scanning into the developer workflow • Automating secure development best practices

Related topics:

More from this channel

Upcoming talks (5)
On-demand talks (47)
Subscribers (4242)
GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software. From idea to production, GitLab helps teams improve cycle time from weeks to minutes, reduce development costs and time to market while increasing developer productivity.