OX Security’s Eyal Paz on Vulnerability Triage That Actually Works in Production

Implementing effective DevSecOps requires balancing security controls with developer experience — a challenge Eyal Paz, VP of Research at OX Security, tackles with practical strategies drawn from his network security background. In this episode of Ahead of the Breach, Eyal explains to Casey how organizations can gradually build shift-left security programs without disrupting development workflows, using a strategic phased approach similar to transitioning from IDS to IPS systems. 

Eyal explores multiple implementation methods from pipeline scans to pre-commit hooks, explains why "making developers angry" is the greatest security risk to shift-left adoption, and shares research from his Black Hat presentation on the exploitation likelihood of transitive dependencies. Drawing from the Log4j crisis, Eyal also emphasizes the critical importance of maintaining a comprehensive software bill of materials (SBOM) and strategically prioritizing vulnerabilities based on actual exploitation risk rather than raw CVE counts.  

Topics discussed:

• Gradual shift-left security implementation that mirrors IDS-to-IPS transition, starting with detection mode for 1-2 weeks, collecting pipeline data on hundreds of scans, then engaging development managers with concrete findings before enabling blocking mode.
• Leveraging recent security incidents as strategic entry points for DevSecOps adoption, targeting tools that address specific vulnerabilities developers recognize as harmful like XSS or exposed S3 buckets to maximize buy-in and patience with implementation challenges.
• Optimizing developer experience as a critical success factor in security programs by choosing implementation points with minimal workflow disruption, focusing on pipeline scans over pre-commit hooks and cautioning against IDE-level scanning that creates excessive friction.
• Multi-layered scanning strategy framework addressing static analysis (SAS), software composition (SCA), infrastructure-as-code, and container scanning, with guidance on prioritizing integration based on organizational maturity and security history.
• Strategic vulnerability triage approach based on Black Hat research showing that while 70% of vulnerabilities come from transitive dependencies, the likelihood of exploitation decreases dramatically deeper in the dependency tree.
• Software bill of materials (SBOM) as critical infrastructure for rapid vulnerability response, drawing lessons from Log4j when organizations without dependency visibility wasted remediation time locating affected systems during active exploitation.
• Build vs. buy considerations for security tooling that balances the simplicity of open-source implementation against the hidden costs of building comprehensive workflows and integrations at enterprise scale.