Session Details

Session Details2019-01-07T06:21:08-05:00

Introduction to inner-loop security. Shifting left, but better.

Presented by: Josh Wallace

We can barely make it through an AppSec talk or article without hearing about the wonders of “shift left” and how it is the key to solving all of our security problems. Every intro to AppSec talk starts with the cost savings and return on investment associated with discovering security defects earlier in the SDLC and most of us have designed our AppSec program around these concepts. What would you say if I told you there was a better way and that we have been shifting left wrong? In this talk, we will introduce the concept of the inner and outer loop as the next evolution of shift left. Join us to explore a new model for shifting left using inner-loop concepts and learn how to better enable our developers to build products that are secure by design.

Abstract and outline:
In this talk, I will present a new approach to shifting left. One that considers the impact that we are having on the product teams and the development and security of our products. The concept originated in a blog post from Microsoft discussing how they use “inner loop” concepts in their development process. This concept is also being used across other areas in everything from automotive manufacturing, to supply chains, to project management. We have taken the model and adapted it to application security so that we can determine the impact that we have on developers and thoughtfully include processes and capabilities that minimize the impact to the development lifecycle.

The history of shifting left
Where shift-left came from
Why we still use it today
Introduction to the inner loop
Of tax and waste
Thought exercises demonstrating how the inner-loop works and discussing the impact to developers
A model for the future
Conclusion and questions

Tags: Security, TestingLevel: Intermediate