Phillip Maddux, profile picture
Uploaded byPhillip Maddux
PDF, PPTX1,592 views

Shift Left. Wait, what? No, Shift Right!!!

The document discusses the concept of 'shifting left' in software testing, highlighting the importance of integrating security early in the development process according to the devsecops paradigm. It emphasizes the need to also 'shift right' to effectively respond to threats by providing feedback from production to development. The author encourages the establishment of a feedback loop among development, security, and operations for improved optimization and security practices.

Embed presentation

Download as PDF, PPTX
Shift Left. Wait, what? No, Triangle DevOps 11/7/2018 Photo by Nick Fewings on Unsplash ...Shift Right!!!
About me Phillip Maddux Principle AppSec Researcher & Advisor @Signal Sciences https://signalsciences.com Career Summary WebDev, DBA, SA, IT Auditor (~7 yrs) AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Honeypot Enthusiast ● HoneyPy ● Honeydb.io
For clarification… this is not about voting Photo by Mirah Curzer on Unsplash
We’ve been hearing a lot about shifting left. Photo by Samuel Zeller on Unsplash An approach to software testing and system testing in which testing is performed earlier in the lifecycle (i.e., moved left on the project timeline). It is the first half of the maxim "Test early and often." - Wikipedia The DevSecOps paradigm that we are all preaching is "Shift Security Left" e.g. design and develop your application with security in mind as early as possible and integrate security into CI/CD pipeline. - An AppSec person in an AppSec Slack channel Fun Fact: There is even a cloud security company named “ShiftLeft”.
That is all good Photo by Jonathan Daniels on Unsplash
But we’ve been shifting left for years Photo by Tim Gouw on Unsplash
We need to shift right in a way that enables us to... Photo by Jon Tyson on Unsplash ...respond to threats and prioritize what we do on the left.
Instrument for security... Photo by Patrick Fore on Unsplash We already do this for application performance monitoring One of the best approaches is to provide rapid feedback to developers. In the land of application performance, we found that running APM tools in production was a way to help developers find places to optimize their code. This created a feedback loop from production (the right) to development (the left).[1] Any sensitive / high risk transactions. 1. James Wickett, https://labs.signalsciences.com/devsecops-security-shift-right
Shift right, and start applying a feedback loop to Dev, Sec, and Ops! Photo by Jerry Kiesewetter on Unsplash Thank you Also, check out James Wickett’s blog post for additional thoughts on this topic.

More Related Content

PDF
The left is not wrong, just not right; It's time to shift right!
byPhillip Maddux
 
PDF
CSA Raleigh application security and deception in the cloud
byPhillip Maddux
 
PDF
SecOps Armageddon: A look into the future of security & operations
byPhillip Maddux
 
PDF
Deception in Cyber Security (League of Women in Cyber Security)
byPhillip Maddux
 
PPTX
Failure is inevitable but it isn't permanent
byTom Stiehm
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
PDF
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
PDF
Sigma Open Tech Week: Bitter Truth About Software Security
byVlad Styran
 
The left is not wrong, just not right; It's time to shift right!
byPhillip Maddux
 
CSA Raleigh application security and deception in the cloud
byPhillip Maddux
 
SecOps Armageddon: A look into the future of security & operations
byPhillip Maddux
 
Deception in Cyber Security (League of Women in Cyber Security)
byPhillip Maddux
 
Failure is inevitable but it isn't permanent
byTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
Sigma Open Tech Week: Bitter Truth About Software Security
byVlad Styran
 

What's hot

PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PDF
Ops Happen: Improve Security Without Getting in the Way
bySeniorStoryteller
 
PDF
What we learned from three years sciencing the crap out of devops
byNicole Forsgren
 
PDF
Security in agile teams
byMaria Gomez
 
PDF
Collaborative security : Securing open source software
byPriyanka Aash
 
PDF
New Era of Software with modern Application Security (v0.6)
byDinis Cruz
 
PDF
Security at Scale - Lessons from Six Months at Yahoo
byAlex Stamos
 
PDF
Securing 100 products - How hard can it be?
byPriyanka Aash
 
PPTX
The sooner the better but never too late
byVlad Styran
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PDF
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
byQAFest
 
PPTX
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
byVlad Styran
 
PPTX
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
byDevSecCon
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PDF
Using security to drive chaos engineering
byDinis Cruz
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
PPTX
Continuous Acceleration with a Software Supply Chain Approach
bySonatype
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
bySeniorStoryteller
 
What we learned from three years sciencing the crap out of devops
byNicole Forsgren
 
Security in agile teams
byMaria Gomez
 
Collaborative security : Securing open source software
byPriyanka Aash
 
New Era of Software with modern Application Security (v0.6)
byDinis Cruz
 
Security at Scale - Lessons from Six Months at Yahoo
byAlex Stamos
 
Securing 100 products - How hard can it be?
byPriyanka Aash
 
The sooner the better but never too late
byVlad Styran
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
byQAFest
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
byVlad Styran
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
byDevSecCon
 
2016 virus bulletin
byAdrian Sanabria
 
Using security to drive chaos engineering
byDinis Cruz
 
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
Continuous Acceleration with a Software Supply Chain Approach
bySonatype
 

Similar to Shift Left. Wait, what? No, Shift Right!!!

PDF
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
byNathanDjami
 
PPTX
Shifting left – embedding security into the devops pipeline by Mike d. Kail
byDevSecCon
 
PPTX
Shift left
bypenetration Tester
 
PPTX
Shift left
bypenetration Tester
 
PDF
DevOps Shift Left: Accelerating Quality, Security, and Speed with Mphasis
bybasilmph
 
PDF
Shift-Left Testing and Its Role in Accelerating QA Cycles
byShubham Joshi
 
PDF
Shift-Left Testing - Everything You Need to Know About.pdf
byflufftailshop
 
PDF
Shift-Left Testing - Everything You Need to Know About.pdf
bykalichargn70th171
 
PPTX
Critical Capabilities to Shifting Left the Right Way
bySmartBear
 
PPTX
10x Test Coverage, Less Drama: Shift Left Functional & Performance Testing
bySauce Labs
 
PDF
What is Shift Left Testing.pdf
byTestbytes
 
DOCX
Shift Left Save Resources DevSecOps and the CICD Pipeline
byCloudZenix LLC
 
PDF
Shift Left Testing Why Early QA Saves Time and Costs .pdf
byIntelliSource Technologies
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
PDF
Shift Left Security – Guidance on embedding security for a Digital Transforma...
byYazad Khandhadia
 
PDF
Shift Left Security - The What, Why and How
byDevOps.com
 
PPTX
Shift_Left_Testing presentation pptx for general knowledge
bykeerthanakeerthana85184
 
PPTX
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
PDF
Deepfence.pdf
byVishwas N
 
PPTX
DevSecOps-Revolutionizing-Secure-Software-Design.pptx
byshivamsourav1406
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
byNathanDjami
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
byDevSecCon
 
Shift left
bypenetration Tester
 
Shift left
bypenetration Tester
 
DevOps Shift Left: Accelerating Quality, Security, and Speed with Mphasis
bybasilmph
 
Shift-Left Testing and Its Role in Accelerating QA Cycles
byShubham Joshi
 
Shift-Left Testing - Everything You Need to Know About.pdf
byflufftailshop
 
Shift-Left Testing - Everything You Need to Know About.pdf
bykalichargn70th171
 
Critical Capabilities to Shifting Left the Right Way
bySmartBear
 
10x Test Coverage, Less Drama: Shift Left Functional & Performance Testing
bySauce Labs
 
What is Shift Left Testing.pdf
byTestbytes
 
Shift Left Save Resources DevSecOps and the CICD Pipeline
byCloudZenix LLC
 
Shift Left Testing Why Early QA Saves Time and Costs .pdf
byIntelliSource Technologies
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
byYazad Khandhadia
 
Shift Left Security - The What, Why and How
byDevOps.com
 
Shift_Left_Testing presentation pptx for general knowledge
bykeerthanakeerthana85184
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
Deepfence.pdf
byVishwas N
 
DevSecOps-Revolutionizing-Secure-Software-Design.pptx
byshivamsourav1406
 

More from Phillip Maddux

PDF
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
PDF
Honeypots, Deception, and Frankenstein
byPhillip Maddux
 
PDF
Honeypots, Deception, and Frankenstein
byPhillip Maddux
 
PDF
HoneyPy & HoneyDB (TriPython)
byPhillip Maddux
 
PDF
HoneyPy & HoneyDB (CarolinaCon 13)
byPhillip Maddux
 
PDF
HoneyPy & HoneyDB (LASCON 2016)
byPhillip Maddux
 
PDF
HoneyPy Honeypot (OWASP Triangle Chapter)
byPhillip Maddux
 
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
Honeypots, Deception, and Frankenstein
byPhillip Maddux
 
Honeypots, Deception, and Frankenstein
byPhillip Maddux
 
HoneyPy & HoneyDB (TriPython)
byPhillip Maddux
 
HoneyPy & HoneyDB (CarolinaCon 13)
byPhillip Maddux
 
HoneyPy & HoneyDB (LASCON 2016)
byPhillip Maddux
 
HoneyPy Honeypot (OWASP Triangle Chapter)
byPhillip Maddux
 

Recently uploaded

PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Designing a Blog Using Wordpress
bymarkzubi50
 

Shift Left. Wait, what? No, Shift Right!!!

  • 1.
    Shift Left. Wait,what? No, Triangle DevOps 11/7/2018 Photo by Nick Fewings on Unsplash ...Shift Right!!!
  • 2.
    About me Phillip Maddux PrincipleAppSec Researcher & Advisor @Signal Sciences https://signalsciences.com Career Summary WebDev, DBA, SA, IT Auditor (~7 yrs) AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Honeypot Enthusiast ● HoneyPy ● Honeydb.io
  • 3.
    For clarification… thisis not about voting Photo by Mirah Curzer on Unsplash
  • 4.
    We’ve been hearinga lot about shifting left. Photo by Samuel Zeller on Unsplash An approach to software testing and system testing in which testing is performed earlier in the lifecycle (i.e., moved left on the project timeline). It is the first half of the maxim "Test early and often." - Wikipedia The DevSecOps paradigm that we are all preaching is "Shift Security Left" e.g. design and develop your application with security in mind as early as possible and integrate security into CI/CD pipeline. - An AppSec person in an AppSec Slack channel Fun Fact: There is even a cloud security company named “ShiftLeft”.
  • 5.
    That is allgood Photo by Jonathan Daniels on Unsplash
  • 6.
    But we’ve been shifting leftfor years Photo by Tim Gouw on Unsplash
  • 7.
    We need toshift right in a way that enables us to... Photo by Jon Tyson on Unsplash ...respond to threats and prioritize what we do on the left.
  • 8.
    Instrument for security... Photoby Patrick Fore on Unsplash We already do this for application performance monitoring One of the best approaches is to provide rapid feedback to developers. In the land of application performance, we found that running APM tools in production was a way to help developers find places to optimize their code. This created a feedback loop from production (the right) to development (the left).[1] Any sensitive / high risk transactions. 1. James Wickett, https://labs.signalsciences.com/devsecops-security-shift-right
  • 9.
    Shift right, andstart applying a feedback loop to Dev, Sec, and Ops! Photo by Jerry Kiesewetter on Unsplash Thank you Also, check out James Wickett’s blog post for additional thoughts on this topic.