Pipelineless Security

It's 2023 and security still needs to earn some respect if they want to slide their Sec between Dev and Ops. Their tooling slows down deployment pipelines, typically finding more false positives than real bugs, usually in code written years ago, and often harming development velocity. To their credit, security teams will occasionally make concessions, like pulling long-running rules out of static analysis engines, but that means that the bugs those tools would otherwise find get caught months later in bug bounties, penetration tests, or security incidents. Bug reports for code you didn't write lead to alert fatigue. Every tool having its own site to log in to, even with SSO, leads to dashboard fatigue. This talk introduces pipelineless security, a method of executing security activities in the development process that maximizes coverage and reporting timeliness, while minimizing over-reporting and friction. We will discuss how to understand the execution requirements of various types of security tools to understand when "shifting left" is a knee jerk reaction, and when constantly breaking the build, breaks people's confidence in you.