Don't Sh*t-Left: How to Actually Shift-Left

I present to you don't left, how to shift left and our speaker Ahmad Saradin. Thank you. Um it's an honor to be here and thank you to everyone who came to the talk. This is um really humbling and I really appreciate you taking the time to listen to me today. So, thank you for being here. Um how's everyone doing? Everyone caffeinated? There's coffee apparently. So, I'm sure everyone's a caffeinated. Is everyone excited to have some fun and to talk about security? Cool. Let's do it. So, apparently this is being live streamed and I decided to put this on. Um, I will say a lot and maybe some other things and let's see how far we

can push this. Um, apparently there's slido. Um, I is this the correct theater? Should it be 14 or 15? Okay, it should be 15. I made a mistake. I fumbled. You can QR code this. Anyone who's now scanning this is probably like, is this a secure link or not? It is. It's completely fine. It'll take you to my crypto wallet. Uh I'm the founder and CEO of Corgium. I'm a three-time founder. Sold my last company to Koopa where I used to work there for six years, which is eons in Silicon Valley. Uh last three of them I used to head up the payments product and I owned all the security from fraud and compliance pieces of that product.

I've been very fortunate to have, you know, done a lot of work in that space, patented a lot of stuff, uh, and realized a lot of security tooling really struggled, um, in what we were trying to achieve. And so, you know, like any, um, you know, brave entrepreneur making very irrational decisions, I thought we could do better. Uh, I love gifts. This will be full of gifts. Um, barbecue. I love smoking meat. Not smoking meat, but smoking meat. um and weird music. I'm very known for very weird eclectic music. And so I wanted this talk to be we've had the very fortunate advantage of speaking to hundreds of security professionals like yourself and we wanted to share what

we've learned along the way. And that's where the title came from is a lot of companies attempting to shift left and ended up what we call left or the bed. And and so um what does this mean? like how can we define what is shift left and it's become more like left which is increased breach risk massive inefficiencies and a broken relationship between appsec and dev and it's unbelievable how many times I jump on calls where this broken relationship is real and it was because of prior um engagements and I put these four stats actually this supports more stats I just ran out of time to put more stats uh but these are the figures right 86% of

develop ers admit security isn't the top priority when it's when they come to coding. Actually, this is probably why ABSSAC even exists as an industry. Um about a third of devs spend h up to half of their times fixing bugs instead of shipping new code, right? Um 43% of orgs um that shifted left saw increased dev workload and 40% report too many vulnerabilities to fix. I can ask a show of hands and you probably all will raise your hand if I'm not the vast majority of you. as a top challenge. When everything is high priority, nothing is. And legacy SAS tools can spew 50 to 80% false positives for Java code. NIST found in um in false positive rates up

to 78%. So the stats are scary. Um so quiz time. Uh I wanted a small engagement element here and just kind of keep the crowd engaged. Is it or is it shift? And so I'm gonna ask and throw up a couple of slides and I would love the audience to say if they think it's or they think it's shift. Who's with me on this? Okay, let's do it. Example one. We're shifting left by implementing a traditional SAS scanner in our pipeline. So now developers can fix vulnerabilities. Is it shift or is it shift? So Oh yeah. Um most people say it's So, for those of you streaming, um, and this was a Reddit post. I I bleeped the

vendor out of this. Uh, it is not us, thankfully. Uh, I wonder who it is. So, this is kind of the impression and this is actually the top voted comment on that thread. And this is kind of what a lot of I think people feel is, you know, adding a scanner in the pipeline in a lot of organizations feels like you're shifting left, but in reality that is not. shifting lift is actually quite a big thing. It's not just about tooling, and this is kind of the whole point of this, but this is kind of a really big thing. And there's actually stats about this. Um, there's a whole bunch of research, but roughly 60% of

vulnerabilities go undetected by most commercial tools today. That's why you have DAS and pentesters and bug bounty programs and secure code reviews and all of that kind of stuff is to catch the things that automation isn't catching. Um, roughly 30% are false positive. The vast majority of you in your mind will tell me, "No, it's probably like 50, 60, 70 or 80 in our organization." I'm giving you kind of what the research is showing. And developers end up wasting their times chasing after vulnerabilities that simply either are ghosts and don't exist or they don't know how to fix them. And so, example number two, we shifted left by training our developers on the OASP top 10 and now

they'll know how to write secure code. Who else? or shift? Okay. So, most people say And here's why. I don't I don't think there's anything wrong with training your devs. I think there's complexity in what this statement is. We looked at how many ways there are sol to solve an SQL injection. And there's over 40. And you know, most secure code training will tell you three. Prepared statements, parameterize the query, or use an OM or some native framework that can support this. Right? That's what secure code training tells you. But then when it comes to the practical implementation of it, it really depends on the database, the language, the framework, and how everything's kind of

configured, right? And so if you look at the permutations, yeah, I know what I need to do theoretically, but how do I solve it for this case? And by show of hands, who has a single programming language, one programming language in their organization, right? Very rare. And so when you look at it, most people are running, you know, five or six different programming languages and frameworks. And so the complexity increases quite a bit. And so this is why I feel like, you know, secure code training and we love all the companies that are doing it. We believe this is correct. And we even published, you know, um, an entire rewrite of the CWE database to try and

educate developers around this. But still, it's not enough. Example three. This one, this one I'm starting to push a little controversial. So let's see what people say. or shift.

Okay, show of hands. Shift. Show of hands. Okay, it's the vast majority think it's shift. And I actually agree with this. It doesn't hurt. I think building great people to focus on security all around the company actually can propel a lot of things and I think if done right and when I say successful security champions program I would talk to the catalyst folks they're awesome at this um it really makes a huge difference and we see within our customer base when we have you know security champions everything goes better because you have a lot of people to lean on the ratio of appsec people to software engineers at most companies is a 1 to2000 1 to300

ratio I'm at a company that has one to a thousand and so there's no way on God's green earth you can scale security apps correctly to support all those software engineers. So having a good security champions program I think is actually fundamentals and unfortunately I see it much later in the security maturity journey. So the real question that we're asking, how can developers ship fast without worrying about security? That's the intent. I I think this question is really the intent of the shift left movement. I I think we think about it too much from the security lens, but rather let's ask this as a DevX problem, right? And it's all in the developer experience. I I unfortunately like I think the best

companies that do this is really about developers developers developers developers, right? Uh who's does everyone know this meme and has have Okay. Okay, good. Um I'm not sweating like that hopefully. So, and what is the best developer experience? Let's frame this question. What is the ultimate DevX in security? Right? Most of the time when I talk to, you know, customers and prospects, it really is this last piece. Every single time in this conversation, we get asked, do you support IDE? Do you support CLI? Do you support CI/CD pipelines? The what they're really asking for is, do you help support my developers and give them a great dev dev experience? Right? I think we can all

agree to that. When someone's asking me about integration questions, they're really asking me about developer experience. And I think that is the most superficial way of thinking of the DevX problem. It's not just integrations. I encourage everyone when you think about how you think about automated testing and tooling and shifting left and all of that, it is not integrations. It is one piece of this much larger formula that we've started to put together. One is very clear processes. Define clear and un easy to understand processes for everyone to follow. Right? Clarity in this is extremely important. The second thing is highfidelity findings or security. What I mean high fidelity it's wellthought out and explained security risks that

account for context. Context is probably the biggest thing that we miss in security today. for SAS this might be more writing more rules risk of false positives obviously and there's a limit more pentest all of that kind of stuff but you want rich findings right with low noise I think we all can agree to the false positive problem right this one I think is very interesting with assistance and education along the way paved roads proper explanations of the issue the solution and the triage fixed suggestions developer training right all these things come together now why haven't I deep dived into anyone One of these is I think it the manifestations are actually quite different for what

shift left is depending on your organization and depending on the initiative. Think of this from design reviews. This will manifest a little differently in the design review process, right? Think of this from threat modeling. This will manifest a little differently. But the components are all there, right? Like if we were to look at, you know, the the the design review process, at what point do I need to take a design review to security? Let's have a clear process. and who do I need to reach out to and who do I need to talk to? Let's talk about the things that actually matter, not the things that are theoretically noisy or theoretic theoretically are noisy and let's help

the developers understand and educate. And I found this was kind of actually the biggest missing piece when I used to take my own designs through security reviews is you know the security team has a lot to juggle and there's a lot of education that I had to do as a product manager to actually educate the security team and this was a cooperation it was very healthy on what are the risks in payments right nothing prepares you in your apps journey for how to handle payment fraud you kind of are learning on the job so we had to work together towards that and where is it delivered Is it Jira tickets? Is it a confluence page? Is it a design document? All so

these manifestations change, right? And if everyone anyone has like a question about this, please submit it or you agree or disagree or I forgot anything, please let me know. I I hope this makes sense. And that's No, I'm joking. That's not it. Um there's actually something more interesting that's happening in the market that I think is scary, exciting, but is scary. And today your developers are starting to vibe code. And there's an arch to actually all of this is there's research that came out in November that coding agents significantly increase security vulnerabilities by roughly 30% in most applications. Have you guys seen that meme like vibe coding is now called vulnerability as a service, right? And on top of that, yeah, this is

said meme. I forgot I put the slide in. And guess what? Everyone will now be coding. I don't I've been talking to different teams about this. sales, marketing, accounting can now code code, right? But it's a thing. Think about it now. Building your own services is within arms reach. And I'm hearing sales people being like, "Look at this app that I built." And so, how do you shift left? And this kind of actually ties into this interesting services evolution that we're starting to think about, right? Monoliths were kind of old school, but kind of becoming cool again, right? We can all agree to that. Microservices are cool, but they're kind of becoming old school. And this last

piece is a term that I'm having a hard time distilling. I'm kind of calling them either picoservices or nanoervices or vibe services. This is where you might have a salesperson build an entire app and what stops them from maybe putting some customer data in there and they go deploy it on replet or Verscell or Levible service agreement with your Yeah, but they they could do it on their own, right? They could go sign up spin up an entire thing that does something for a client thing. Good intentions, don't get me wrong. They're not they're not being malicious or anything. They're trying to do their job better and technology has helped us do our jobs better in many ways. And so

they're now like, "Oh, I can I don't need to go to this person to actually do this thing. Let me just go and like vibe code this thing and show it to my client." And now it's publicly facing. Now you have shadow app, shadow infrastructure, and shadow data being publicly exposed. Right? And to add to this, I think we will see in two to three years, I at least I'm hearing this at some companies where they're starting to explore, can we do agents that code 24 hours a day, 7 days a week, right? And this came out a couple of weeks ago or a month now. Anthropic CEO says that in 3 to six months, AI will be writing

90% of the code software developers were in charge of I will debate this. three to six months, you can say, okay, is it like the auto, you know, the tap tap complete kind of stuff or is it like full vibe? Anyway, I think the the writing's on the wall. We're starting to see more and more and more of this. Whether it's 3 to 6 months or 3 to 6 years, I think we're on this trajectory. I think this is a very real trajectory. And what this means is devs are now vibe coding. Non-devs are now coding and shipping stuff. shadow code and infrastructure will start to exist. Surface area is increasing. This is a surface area

problem. Human code reviews can't keep up. By show of hands, if you work for an organization, are your current code reviewers keeping up with code reviews? Code review is is painful and traditional SAS and DAS is unequipped because a lot of these vulnerabilities can be business logic related. If your humans can't detect these things and aren't even even able to keep up, how are you going to do this? Right? And so it feels like the road ahead of us is like this. And I'm not trying to scare everyone. I think there is a future where we can do this, which is how do you shift life in an environment without the bed, right? Especially as this

complexity increases. And to be quite frank, I think the answer is you have to be an enabler of this technology change. I do not think anyone can actually push back against this movement. I'm hearing CISOs saying, "Oh yeah, we disabled, you know, our access to cursor and now we're, you know, think figuring it out or 77,000 organizations have bought GitHub copilot in the last two years. It is undeniable that genie is out of the bottle and everyone in the organization will be vibe coding to some certain extent." And so my recommendation for everyone is you have to think about it. You hire an army of people by show of hands who has budget for this right or you introduce processes

and a combination of AI. We need to scale and so computers can now understand context and replace humans in many tasks. We as a company have been able to prove this. We've written a lot of white papers around this, right? But we are now seeing the ability for computers to augment appsac teams. And I think it you still have to go back to this clear processes, high fidelity findings, low noise with assistance and education along the way delivered in the places where developers work. And for some of this clear processes are processes and programs. If your salesperson wants to ship a, you know, publicly facing app that would help the business let them let them. Why not? But just give

them a very clear process on how to do it safely. Right? You probably all saw the Shopify CEO's update or that internal memo that got leaked, right? Every function is now going to be affected by this. And so you need to let people be able to leverage technology but just give them very clear processes. Don't use shadow infrastructure. You want to deploy it you here's our own you know instance of v 0ero and verscell go and ship and have all the controls built on top of that right high fidelity findings. Use AI powered detection. We do that but use AI powered detection to improve outcomes. Right? Humans can't review everything anymore. Let's start using AI in very smart ways to trigger

when humans need to be involved. Let's also reduce noise on developers. Let's have AI be the crumple zone. I know I'm saying AI and it feels like okay like AI is going to solve it. No, I'm saying like it's a first line of defense, right? Let's use it as a first line of defense with this increasing amount of stuff that's happening, right? Improve assistance. you know, the salesperson might say, "Okay, I don't know why, like why should I give a about hardcoded credentials, right? And you need to provide really good explanations that might help, right? And the, you know, developer experience needs to be great. Integrations isn't enough. In many of these functions, there's no IDE even being

used, right? And so, how do you make this palatable and explainable?" And I think what I'm trying to encourage here is as we think about what's happening in the market, how do you shift left when your entire organiz you have to shift left with the entire organization. I don't think we're too far away from that. Right? And so this is me. Um this is also not a malicious link. This is my LinkedIn profile. If you guys want to connect with me, I'm on LinkedIn. Very noisy there. And then you can reach out to me over email. If you email me, I will put you in our drip campaign. No, I'm joking. I'm joking. no drip

campaigns. Well, you can email me anytime. Happy to send the slides, happy to talk. Um, but that's me and thank you so much. Thank you.

All right. Well, now is the point where we have plenty of time left for questions. Probably even more than 20 minutes going on here. So, um, again, we do those all via Slido. Just get on any device, go to sli.do do the code to use is besides SF2025. This is under the category of theater 15. If you want to submit talks, any questions there. So, I don't currently see any. Um, but often times when I make this announcement, especially in the overflow theater, people will often chime in. If we take one from the audience, what you're going to do is you're going to say it, make it short, I'll repeat it for the stream, and then Ahmed will answer it. All

right. What's your favorite Linux command? I'll I'll hand this to you. What is your favorite Linux command as a good little start? Who am I? So the answer is who am I? Right. Also sudo everything but in general do people kind of agree with what's happening or are you seeing this in your organizations? Yes, absolutely. Security is supposed to be a facilitator, not a blocker, right? How do we do

this? Security, right? You're not going to be a successful security.

I think Tyler is saying here that security has to be an enabler for folks who can't listen to what he's saying because he doesn't have the mic. Generally, has anyone seen in the wild in their organizations, their sales, marketing, finance people start to actually produce applications on their own? Applications use AI to like build collaterals, but use the sales process. Interesting. But yeah, like if a saleserson showed up with an app they built, I would host it for them. But if they do that around me, I would see that as, you know, malicious activity. Right. Right. I was in New York last week and I was at a bank and the security person at the bank was

talking to a salesperson. This usually affects very large organizations when you have 5,000 10,000 people. The person at the bank, the salesperson pulled up a Vivecoded app that they were using for their customers. So, we're starting to see some of this in the wild. And I think you may have also seen kind of those vibe coders getting breached recently. So I think we're the purpose of this talk is I think we're going to start to live in a world very soon where these start to spin up very rapidly. Okay. Yesterday I think there was coding is a you know okay for starters how do you fix the code later on? How do you update it if you don't

know what you're doing? You just keep vibe coding. Could you repeat the question? Yeah, I'll repeat the question. How do you update vibe coded code if you don't know how to code? To be quite frank, the vast majority of these vibe coding solutions and I've used a lot of them, you just keep prompting and asking and it'll keep updating like they it reaches a point unfortunately where it starts to struggle and it starts to get very messy. And that's actually where I think the vast majority of vulnerabilities will start to come in. The first kind of prompt or two or three actually gets a lot done. And then you start to reach a point when you're kind of like asking at

the fifth or sixth or seventh or eighth layer. It starts to get too big of a context for most of these systems and they start to kind of collapse and they start to get very messy. I actually ran this like little test. I was trying to vibe code this app and at some point I actually abandoned the entire project because the project became unmaintainable by me because of the amount of files it generated that were just redundant and confusing. And so now I like maybe ask for a service to get spun up and then I'll take it and start to code it myself. I'll get the you know boilerplate stuff out of the way and

then go code. And this is the danger that I think is is when you start to have people who lose the intellectual control of the code base and it's now introducing things that are scary. Thank you. I find it really interesting that we're essentially having the same conversation that a lot of artists are having about AI art. the idea that that that AI art lets everyone be creative and everyone have access to it. And I think it's really interesting what we've seen in that kind of space has been a lot of say folks who wouldn't normally have access to images or like artwork like developers using AI in order to give themselves uh like the visual right that

they will be unable to create. And I find it super interesting that we're essentially having the same conversation about um developing but on the other side. Absolutely. So my question to you is really do you see these as kind of related problems the idea that you know people want to be enabled I guess or do you see it as something where we need to show show that people doing this that actually what they're doing is bad is a security risk and perhaps they should be making the choice not to do. Yeah. The so the question was basically you know there's a lot of parallels to this with kind of um you know creative art being

generated and all that kind of stuff. We recently saw I think two or 3 weeks ago the new open AI capabilities around like image generation got really good right and I think that same kind of parallel applies to here where um should you you know people want to be enabled I'm saying this for the live stream audience um should this be something that we warn people not to do or we um you know ultimately enable them and to be quite frank it's like a teenager you know and and sex like to be quite frank like it's you you kind of have to educate them about it. I don't think you can just um you know prevent them from doing it. It's

too like in organizations they will get too big to for you to distribute a message correctly. All it takes is one or two people in the organization to not do it correctly. Right. And I think you just have to figure out a way to enable them to do it safely and accurately because right now the genie is out of the bottle. I'm seeing all kinds of startups like just spin up entire services and tooling to actually do this. Like I'll even give you an example. We have a site hub.corgia.com. Okay, it's our security hub that was actually started as a vibecoded project. And then I took it over and wrote a lot of code on top of it and

improved it and all that kind of stuff. But it I was like, you know, I need to ship this thing very fast. So, let me get the boiler plate out of the way. And it is an enabler. People want to be enabled. That's what AI is allowing us to do is enabling people to do their jobs better, faster, and quicker. But what it's also allowed us to do is crossf functional jobs we could not do before. Product managers can now do data science. Engineers can now do sales and marketing stuff. Everyone's able to do these cross functional tasks they couldn't do before and it's too tempting not to. I who here does not use AI by

show of hands. Okay, one person I can see who uses AI for crossf functional work they could not do before by show of hands. Yeah, I use it for legal review. I use it for marketing and sales. Obviously I for the simple stuff. We have people to kind of also hire do a lot of other stuff. Sorry, we had another question I think in the audience, right? Okay. I think I understood the problem. The problem seems to be that people white code a an app that thing gets unwieldy and eventually it's just too big to either too big to fail, it's also too big to fix. But how then can we provide developers with what I would call like

secure Legos to basically build app security? How? Yeah. So, how do you help people who are vibe coding? It's not just by the way a vulnerability problem, but it's also a data security problem. So, it's not just about the apps ballooning to become too big to manage. It's also the app could be secure, but I might have customer data in there. I might I might as a salesperson, you know, want to impress my I'm, you know, I'm picking on sales people. I'm sorry. I'm I'm also sales in many ways for my company. But um let's say I want to impro impress my client and create a really nice beautiful looking website with their quote and

some of their data in there that they can experience and download. That's I'm leaking data publicly, right? And so it's a data security and a vulnerability problem. And ultimately I think you have to give them platforms, processes. It goes back to this slide, right? Clear processes. If I want to do something like this, who do I need to go talk to or how do I do this? You can submit an app for publication. You should scan that app and have a review process whether simple or AI or automated and actually talk to them about the things that matter with the right assistance and education delivered in the best way possible. how this manifests. You could

have, you know, you give them access to some simple, you know, v0ero and versel implementation. You say you can submit your app in there and the security team will review it. You can implement an AI SAS and SCA tool to scan these things and then you can have an approval process that's like a halfhour conversation. Yeah, this looks good. Ship it. I think you need to enable them, but you need to help give them guard rails and give them the platform to go do this. Um, do we have more time, by the way? Yeah. Yeah, we have way in the back. So, as get better at write more code, um do you think that they will also get

better at security to a point where they have this uh separate just um there is some truth to that. I don't know how good they will get. I've thought about this quite a bit and I don't have a good answer. One part of me says look if we take if we take like large monoliths and things that get large and cross you know cross service type of communication will have all of that context to be able to understand oh I'm actually deserializing something upstream and actually sanitizing it and it's also talking to other trusted services and all that kind of stuff. I think to be quite honest we're asking a lot of these LLMs. They have to code

high quality, featurerich, bug-free, performant secure code, right? And what they're building is only as good as the prompt and the chain of where they're going, whether agentically or how you're doing it yourself, right? I don't know, to be quite frank, I think it will be a priority for the model providers to get better at this, but I don't think it's there yet. Um, I think it will take some time before we see this kind of come to fruition. Um, so I don't know to be quite frank. Um, there's still going to be humans also coding. So I don't know how all of this is going to pan out. Um, I hope that's an honest answer. Just

as a reminder, uh, especially if you're watching on the live stream, we're on slide.do code besides SF2025 theater 15. No question is too small, too silly, especially if you're here in the audience, too. Uh, we still have a good uh 10 minutes if you want to use it. I actually Oh, go music listening to Oh, man. Beat the question. Um, so by the way, I left a lot of time for questions because I previously had done another presentation and it overflowed by way too much for because of Q&A. So, uh, and I also like the conversation. Um, I don't know, man. It's like I No, no, I'll answer. I'll answer. Like I'll give you an example. Who here knows of

like Seigor Ross, for example? They're now big time. I used to listen to them where like there's tiny Icelandic bands and they're now big time. Um I can pull up my music if you really want, but it's really random mixes of like modern Arabic plus like house music plus really niche indie bands if anyone's curious. If I might, anyone's curious. Here's my Spotify list. So, I was playing dead mouse last and here's my like list. So, it's a little bit of everything. Yeah. I mean, it's a little bit of everything. You've got indie, Arabic, pop. Tracy Chapman. Yeah. Yeah. I don't have an Italian in here. Yeah. Japanese. Oh, yeah. You do have Italian. The the this one this

one's actually actually pre-deaf punk. This is what inspired deaf punk's kind of music style if anyone's interested in this. Um but yeah, really random. Looks like we do have one question. Yeah. So you talked quite a bit about the problem with people using shadow platforms that aren't under your organization control. Correct. How I mean how do I experience how do you approach trying to identify where the shadow platform um question yeah so how do you identify shadow infrastructure and shadow platforms or shadow code people will rave about it on Slack look for those domains on Slack you will often find someone oh look what I did and they'll publish it right because you'll get a public domain from

Versel or from Replet or the likes and by the way I know a lot of those teams they're doing wonderful jobs and I hope no one gets me wrong on saying this is I think they are enabling people to do things but let's enable them to do them securely. So if you do a quick search across your Slack messages or emails you might find those domains very quickly or you can use your endpoint um kind of if you're using like um Zscaler kind of kind of thing like a VPN you can also look at the traffic logs. Those are a couple of ways. I think the best way is when you see on Slack someone's

published something and they're like there's a public link for it. That's a quick way to discover it. Does anyone else have any ideas on how to discover these shadow things or is that kind of a comprehensive way of doing it? I should say I work for a company that does this. Um but we find traffic looking at um uh EVPF looking at Okay. So that that worked very well for our customers. Can you repeat what the answer was? What what did she say? Uh EBPF. So she they do this as a as a as a service and it works very well for customers with the EBPF uh integration, right? AB Everyone knows what EBPF is,

right? And I shouldn't explain it. Anyone want me to explain? Okay. That's great. Cool. Anyone else? If no more questions, we can hand them in early and give everyone some time back. Yeah. Thanks, guys.