Move fast, be safe
Giving developers feedback about the security vulnerabilities in their code as they write is a critical (and sometimes ignored) part of a robust software development lifecycle. One study at the Systems Sciences Institute at IBM reported that it cost 6x more to fix a bug found during implementation than to fix one identified during design. Furthermore, according to IBM, the cost to fix bugs found during the testing phase could be 15x more than the cost of fixing those found during design. Prioritizing Security in the SLDC for developers saves money and time down the line, but can be expensive to implement and feel like a blocker for developers . This speed talk will cover our process of bootstrapping a Security Scanner as a Service using a github web app, the Octokit library, and open source SAST repos to listen for new github activity. It will also discuss the importance of a shift-left attitude and empowering modern development teams to find, fix and prevent vulnerabilities related to source code, open source libraries, secret management and cloud configuration.