Simple Steps to Kill DevSec without Giving Up on Security

The 'shift left' movement has largely failed. Learn how to build effective security guardrails that your developers won't ignore.

#1about 5 minutes

The corrosive effect of false positives in security tools

Traditional code scanners overwhelm developers with a high rate of false positives, eroding trust and causing important alerts to be ignored.

#2about 1 minute

Why the original "shift left" security movement failed

The shift left movement often failed because it simply redirected a high-noise firehose of security alerts from security teams to developers without improving signal quality.

#3about 1 minute

How Android and iOS successfully hardened their platforms

The significant increase in the market price for zero-day exploits for Android and iOS demonstrates their success in making software more expensive to hack.

#4about 6 minutes

Adopting a secure guardrails over security gates mindset

Effective security programs use secure guardrails, like providing secure defaults and actionable fixes, to guide developers without blocking their workflow.

#5about 3 minutes

Prioritize securing new code over fixing the backlog

Since vulnerabilities are exponentially more likely to be found in new code, focusing security efforts there provides a greater return than trying to fix the entire existing backlog.

#6about 3 minutes

The ROI of basic security training and securing LLMs

Elevating developers to a basic level of security awareness yields the largest reduction in vulnerabilities, a principle that now extends to securing code generated by LLMs.

#7about 3 minutes