I am employed as a Principal Security Architect at Adobe at the time I published this article. All opinions
are my own.
War stories and practical advice from scaling static analysis and software composition analysis across 100s of products and 10k+ developers in a complex enterprise environment.
This talk discusses feedback loops, nudging vs enforcement, thoughts on how to fix what truly matters, an adversary model and how to prioritize risks in the context of software composition analysis, static application security testing and secrets in source code detection. The talk concludes with a mental model and a meta-feedback loop to tune a security program.