EP 33 — Democratizing Security and Implementing Change with Twilio’s Ariel Shin

In this episode of the Future of Application Security, Harshil speaks with Ariel Shin, Senior Product Security Engineer at Twilio, a company that provides businesses the tools to connect with customers through automated messaging. Ariel shares the story of how she implemented a democratized, centralized vulnerability management program at Twilio, which included conducting interviews to gauge the current state of vulnerability management, designing a new process that got everyone on the same page, getting buy-in by going on a roadshow across the company, and how they're currently managing the program after rollout.

Topics discussed:

• Ariel's journey through Twilo's acquisition of Segment, going from a culture of a few hundred developers to a few thousand building many different projects.
• How Ariel designed and implemented a democratized, centralized vulnerability management process by getting buy-in from security, engineering, and leadership, and socializing the process.
• The importance of a centralized vulnerability management process to reduce confusion and easily see all vulnerabilities in one place, and how to make risk everyone's responsibility.
• How, in order to uncover problems to address, Ariel interviewed security team members, developers, engineers, and other stakeholders, and created a flowchart of the current state of vulnerability management.
• The necessity of approaching security holistically, and not thinking about security just in terms of the industries or silos created in an organization.
• Identifying the pain points of an organization's security approach, and how to use those pain points to articulate the change needed for an organization.
• How Ariel rolled out the new vulnerability management program through a roadshow across the organization, articulating what the changes were and how they improved security to increase buy-in.
• How Ariel and the security team created three dashboards so stakeholders could better understand their security posture: one for ticket triage, one for engineers to understand the tickets, and the third for leadership.