Fueling innovative software
July 15-18, 2019
Portland, OR

Integrating security into modern software development: A workflow study

Lucas Charles (GitLab)
11:50am12:30pm Wednesday, July 17, 2019
Secondary topics:  Customer Centered
Average rating: ****.
(4.00, 25 ratings)

Who is this presentation for?

  • Developers wanting to create secure code without the hassle factor




Application security testing has been around for a long time, yet successful attacks continue despite significant investments in application security. And we shouldn’t be surprised when we’re applying testing tools developed more than 12 years ago to software development methods only made commonplace in the last 3–5 years. In addition, application security is least understood and often takes a back seat to perimeter and endpoint security. At the same time, there’s a misconception that the cloud provider takes care of all the security, and few people have considered new attack surfaces introduced by containers and orchestration. Tesla showed us the fallacy here.

Traditional application security testing has been targeted to security professionals and is regarded as a separate process from development. This separation and delay creates friction in the process, with many trade-offs required. In an effort to improve application security testing, the new chant has been “shift left” to remove more vulnerabilities earlier and empower the developers.

Lucas Charles examines the shortcomings of most shift-left efforts and how cloud native environments, Agile DevOps processes, and minimum viable products with rapid iteration wreaks havoc on traditional security methodologies. He dives into how to bring security into DevOps while avoiding a complex DevOps toolchain that must be integrated with security testing and explores new ways of thinking of app security to turn the industry on its head by using concurrent DevOps—a method that makes it possible for product, development, QA, security, and operations teams to work at the same time. You’ll learn the three key requirements of your application security process needed to get you onto the road of an efficient and secure software development lifecycle (SDLC).

Prerequisite knowledge

  • A basic understanding of how security testing is done at your company and related content (useful but not required)

What you'll learn

  • Learn why it isn't enough to shift left
  • Understand integrated and automated continuous security testing and three key considerations to get you there
Photo of Lucas Charles

Lucas Charles


Lucas Charles is a senior software engineer at GitLab, a single application for the entire DevSecOps lifecycle. He focuses on building security products and empowering users to execute more quickly and securely. With extensive experience in scaling product and streamlining workflows, he cares deeply about keeping development modern and unhindered. Previously, Lucas was a consultant for several Fortune 500 companies, advocating for agile practices and continuous deployment. He enjoys solving problems the boring way and values strong opinions, loosely held. When not coding, he’s probably building tools to build more tools.