Security is hard. Especially for people not in this specific field. Hundreds of vulnerabilities are getting disclosed each week and it's hard for security folks to keep up with that pace. How can developers follow up with this including business constraints/deadlines?
In this talk, we will talk about our journey into how we developed an offensive tool, and later on, pivoted it to make it "developers friendly" with all the challenges aside.
We will present "ChopChop", a tool we made open-source in June 2020 at Michelin which aims at solving problems around vulnerability regression and what we call "Lean Security". We will also present challenges we had around adoption, contextualization for security issues but also how to automate some fixes by providing not only vulnerabilities but also remediations and fixes. What we can call a real "Shifting-left" approach.