When JFrog reached out and invited me to speak at their DevSecOps Virtual Summit, I immediately said yes – and I’m glad I did.
On November 19, 2024, I joined an expert panel to tackle a hard question every modern engineering team is asking:
How do we secure our code — without killing developer productivity?
It was a packed, fast-paced discussion filled with sharp insights, practical frameworks, and real-world stories. And now that the summit’s wrapped, I wanted to share some of the key takeaways – especially the ones we didn’t have time to fully unpack live.
🎯 The Problem: Security Tasks Are Draining Developer Time
The IDC report we discussed at the summit revealed a number that still sticks with me:
💸 $228,000 per developer per year – that’s how much time organizations are losing to security-related tasks.
We’re not talking about “nice to have” features here. Developers are stuck running scans, dealing with false positives, patching open source packages, and context-switching between tools. The result? Burnout. Delays. And security still suffers.
💥 My Perspective: Security Should Be Invisible Until It Matters
As I shared on the panel: developers are not the problem – bad processes are.
The ideal state isn’t endless alerts or blocking builds. It’s creating systems where:
- Developers can write code without constant interruptions.
- Security issues are caught early and quietly – inside their tools.
- Automation handles 80% of the noise.
- Context matters. A flagged vulnerability that doesn’t affect your deployment shouldn’t become a fire drill.
We need smart tools, not more tools.
🤖 Automation Isn’t Optional — But It’s Not Enough
There was a lot of talk about automation at the summit, and for good reason. Done well, it’s a game-changer. But here’s the catch:
You still need human judgment — especially when it counts.
Like I said during the session: AI can be the co-pilot, but humans are still the pilots. We can’t afford to blindly trust scanners that don’t understand our business logic or threat model.
That’s where context-aware automation comes in – tools that don’t just detect vulnerabilities, but know whether they matter in your environment.
🧰 Tooling: Good UX or GTFO
One of my favorite exchanges was about IDE plugins and developer experience.
Here’s the reality: Developers will uninstall any tool that slows them down. And they should.
Security tooling must be:
- Fast
- Relevant
- Accurate
- Invisible until needed
As we said during the panel: “Security should feel like an enhancement, not a punishment.”
🔄 Context Switching Kills Flow — And Security
Every time a developer jumps from their editor to a Jira ticket to a Slack alert to a security dashboard… something gets dropped.
We talked about how to embed security into the developer flow – not bolt it on. That means:
- Bringing vulnerability info into PRs and commits
- Prioritizing issues with remediation steps
- Making security collaborative, not combative
🛡️ Ownership and Culture: Shift Left and Share Responsibility
Security isn’t just the CISO’s job. It’s everyone’s job – but especially the people who wrote the code.
We explored models where developers are empowered to own their security posture – backed by supportive security teams, not policing ones.
“You build it, you run it, you own it.”
— Moran Ashkenazi, JFrog CSO
Couldn’t agree more.
🔍 Final Thought: Visibility Is Everything
You can’t secure what you can’t see. Whether it’s open-source packages, container layers, or API dependencies – visibility is the first step.
Centralizing artifact management, enforcing curated package policies, and having a single source of truth saves time and reduces risk.
If your team is still downloading random packages from public repos without scanning them… we need to talk.
🙌 Thanks to the Panel — And Everyone Who Tuned In
It was an honor to join:
- Moran Ashkenazi, Chief Security Officer, JFrog
- Batel Zohar, Developer Advocate, JFrog
- Jess Steinbach, our moderator from ActualTech Media
To everyone who asked questions, shared thoughts, or stayed for the full 90 minutes — thank you. Let’s keep the conversation going.
🎥 Want to watch the full session?
Replay the summit recording: