Pipelineless Security
It's 2023 and security still needs to earn some respect if they want to slide their Sec between Dev and Ops. Their tooling slows down deployment pipelines, typically finding more false positives than real bugs, usually in code written years ago, and often harming development velocity. To their credit, security teams will occasionally make concessions, like pulling long-running rules out of static analysis engines, but that means that the bugs those tools would otherwise find get caught months later in bug bounties, penetration tests, or security incidents. Bug reports for code you didn't write lead to alert fatigue. Every tool having its own site to log in to, even with SSO, leads to dashboard fatigue. This talk introduces pipelineless security, a method of executing security activities in the development process that maximizes coverage and reporting timeliness, while minimizing over-reporting and friction. We will discuss how to understand the execution requirements of various types of security tools to understand when "shifting left" is a knee jerk reaction, and when constantly breaking the build, breaks people's confidence in you.
Mike Doyle heads up security research at Arnica. He earned a Computer Science degree in 2003, just in time to watch the post-bubble job market for software developers dry up. Handy with a bash prompt, he found work in a variety of system administration jobs, always trying to edge his way back into development. Instead, he angled his career toward security consulting and penetration testing, which is what he always wanted to do anyway, then mastered the arts of code review, threat modeling, and management consulting as a BSIMM assessor. These days he develops enterprise software at Arnica. Doyle believes that hard problems require elegant solutions.