The security industry works best with a waterfall approach to development and has not keep up with modern methodologies. This talk will look at tools and techniques to shift security testing left so software can be released early and often without increasing risk to the organisation.
Security is big business. Between security companies trying to sell us security-in-a-box and infosec professionals charging a fortune to tell us “we’re doing it wrong”, is it any wonder security is still an area that often deprioritised?
In this talk, we’ll look at what we should be doing to left shift security testing. By removing the fear and blame pushed by a lot of the security industry, we can start to see what can and should be automated and what really does need a security expert. We’ll look to understand that writing secure applications does not need to be costly and not all applications need to have the same level of security.
By looking at real penetration test reports, we will look at the tools and techniques we can use to detect vulnerabilities automatically and early in the development lifecycle, ultimately allowing us to release software often and quickly while still having a good understanding of our application’s risk.
The aim of this talk will be to understand why security has not kept current with modern development practices and give developers the ability to integrate security into the development pipeline.