
Sign up to save your podcasts
Or
Implementing effective DevSecOps requires balancing security controls with developer experience — a challenge Eyal Paz, VP of Research at OX Security, tackles with practical strategies drawn from his network security background. In this episode of Ahead of the Breach, Eyal explains to Casey how organizations can gradually build shift-left security programs without disrupting development workflows, using a strategic phased approach similar to transitioning from IDS to IPS systems.
Eyal explores multiple implementation methods from pipeline scans to pre-commit hooks, explains why "making developers angry" is the greatest security risk to shift-left adoption, and shares research from his Black Hat presentation on the exploitation likelihood of transitive dependencies. Drawing from the Log4j crisis, Eyal also emphasizes the critical importance of maintaining a comprehensive software bill of materials (SBOM) and strategically prioritizing vulnerabilities based on actual exploitation risk rather than raw CVE counts.
Topics discussed:
Implementing effective DevSecOps requires balancing security controls with developer experience — a challenge Eyal Paz, VP of Research at OX Security, tackles with practical strategies drawn from his network security background. In this episode of Ahead of the Breach, Eyal explains to Casey how organizations can gradually build shift-left security programs without disrupting development workflows, using a strategic phased approach similar to transitioning from IDS to IPS systems.
Eyal explores multiple implementation methods from pipeline scans to pre-commit hooks, explains why "making developers angry" is the greatest security risk to shift-left adoption, and shares research from his Black Hat presentation on the exploitation likelihood of transitive dependencies. Drawing from the Log4j crisis, Eyal also emphasizes the critical importance of maintaining a comprehensive software bill of materials (SBOM) and strategically prioritizing vulnerabilities based on actual exploitation risk rather than raw CVE counts.
Topics discussed: