The software development industry has long understood the benefits of ‘shift left testing’; including reduced product developments costs, higher confidence in the delivered product and ultimately higher customer satisfaction. However, security testing had always been regarded as a latecomer to this ‘shift left’ methodology. This presentation explores the two primary reasons for this unfortunate state: firstly a process and cultural block, and secondly problem with the prevailing technology and methodology.
Security professionals have developed the unenviable reputation of testing too late in the development lifecycle, and then delivering reports which are characterised by high false positive rates and often un-actionable findings. The inevitable ‘shift left’ creates a scenario where the security professional is simply excluded from the discussion and development teams find ways to do their own testing. This presentation covers some practical guidance on how to incorporate security testing into a development process by focussing on prompt and actionable scanning and reporting.
Security tooling providers are similarly challenged by the need to ‘shift left’ and deliver performance and functionality familiar to software developers in their environments. This presentation will showcase recent advance in security testing tooling and frameworks.