Hackers of India

How to make security easier for your developers

By Santosh Yadav , Frida Kiriakos , Marie Theresa Brosig , Xavier Rene Corail on 09 Mar 2023 @ Nullcon
📹 Video
#secure-development #security-testing #secure-coding #application-pentesting #code-review #static-analysis
Focus Areas: 🔐 Application Security , ⚙️ DevSecOps , 🦠 Malware Analysis

Presentation Material

AI Generated Summary

The panel discussion centered on improving collaboration between security and development teams to make security practices more accessible and effective for developers. A core theme was integrating security early in the software development life cycle (SDLC), particularly during design and implementation phases, to avoid late-stage friction. Techniques highlighted included conducting rapid, lightweight risk assessments and design reviews before coding begins, and embedding security scanning tools directly into developer workflows like pull requests and CI/CD pipelines.

Key characteristics of effective security tools were emphasized: seamless integration into existing environments (IDEs, version control), minimal false positives to maintain developer trust, and providing dual perspectives—actionable, low-noise alerts for developers and comprehensive dashboards for security teams. Tools like GitHub Advanced Security’s code scanning and secret scanning were cited as examples that reduce burden by automating checks without disrupting development.

For open source, the duality of opportunity and risk was acknowledged. While open source accelerates development, under-resourced maintainers create supply chain vulnerabilities. Panelists advocated for corporate investment in open source projects through dedicated developer time, financial sponsorship, and security audits. They stressed the importance of private, well-documented vulnerability reports and leveraging secure-by-default frameworks to reduce developer knowledge gaps.

Education strategies focused on practical, approachable methods: mandatory security awareness training, cultivating “security champions” within teams, and informal knowledge sharing. Learning was reinforced through tooling feedback loops, where fixing scan findings educates developers on secure patterns. The overarching takeaway was that security must be collaborative, embedded, and supportive—prioritizing clear communication, developer agency, and community support over punitive or siloed enforcement.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview — always refer to the original talk for authoritative content. Learn more about our AI experiments.