Agile + DevOps East 2023 Concurrent Session : Pipelineless Security

Conference archive


Thursday, November 9, 2023 - 11:45am to 12:45pm

Pipelineless Security

It's 2023 and security still needs to earn some respect if they want to slide their Sec between Dev and Ops. Their tooling slows down deployment pipelines, typically finding more false positives than real bugs, usually in code written years ago, and often harming development velocity. To their credit, security teams will occasionally make concessions, like pulling long-running rules out of static analysis engines, but that means that the bugs those tools would otherwise find get caught months later in bug bounties, penetration tests, or security incidents. Bug reports for code you didn't write lead to alert fatigue. Every tool having its own site to log in to, even with SSO, leads to dashboard fatigue. This talk introduces pipelineless security, a method of executing security activities in the development process that maximizes coverage and reporting timeliness, while minimizing over-reporting and friction. We will discuss how to understand the execution requirements of various types of security tools to understand when "shifting left" is a knee jerk reaction, and when constantly breaking the build, breaks people's confidence in you.

Eran Medan

Eran Medan serves as the Chief Technology Officer at, a real-time application security startup. Previously, he was a Senior Software Development Manager at Amazon Web Services, where he led the team behind the AWS Jam service. Eran holds a Master of Science in Computer Science from the Georgia Institute of Technology and lives in Alpharetta, GA.