Future of Application Security

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Colleen Dai, Senior Security Researcher at Semgrep, an open source static analysis tool. They discuss strategies security teams can take to reduce false positives, use secure defaults to eliminate bug classes, and reduce complexity in security decision-making. They also talk about ways to build the relationships between security, developers, and engineers, which includes aligning on goals, communication, and recognition.
Topics discussed:
Colleen's background and what her security research role at Semgrep entails.
How to use secure defaults to eliminate bug classes and reduce the complexity in security decisions.
How to reduce false positives by writing rules and checks, especially ones that are customized to your organization.
How to better align the goals of security and developers by focusing on creating good software — and good software is secure software.
How to build relationships with engineers through communication and recognition, not just talking through Jira tickets.
Why security and developers still struggle with cross-site scripting and how it can be fixed.

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Johnathan Kuskos, Founder of Chaotic Good Information Security, a boutique professional services company. They discuss what it's like to be a pen tester, some of the unusual things found during testing, and how the 15 Minutes Rule helps you not waste time during your testing. They also talk about the tradeoffs of security when it comes to “good, fast, or cheap,” simple ways to determine priorities, and how to strengthen relationships between security and developers.
Topics discussed:
How security and developers can close divides through better communication and more forward thinking.
Why security can't necessarily have an approach that's good, fast, and cheap, but how they make compromises to have a bit of all three.
How to determine your security priorities, and how to perform a smoke test to see where security overlaps with other departments to identify those priorities.
Some of the stranger things found during pen testing, including a git folder on a website. 
Why vulnerability and exploitability are two different things, and how to assess both.
How the 15 Minutes Rules can help you assess as much functionality as possible, and why it sometimes exposes more gaps in playbooks and incident response than intended.

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Jim Manico, Founder and CEO of Manicode Security, a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security.
Topics discussed:
What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list’s issues: server side request forgery and access control.
What issue is Jim surprised to see on the OWASP Top Ten.
How developers and security can work more closely together to create a better approach to logging and alerting.
Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization.
Why training on AI and security is increasing in demand today.
How security professionals and developers are like professional wrestling superstars.
 

In this episode of the Future of Application Security, Harshil speaks with Madjid Nakhjiri, Head of Product Security and Lead Security Architect at TuSimple, a global autonomous driving technology company. They discuss the current landscape of automotive security today, why the industry is expanding its safety initiatives to cyber security initiatives, and the standards rising up to ensure that security. They also discuss the challenges to threat analysis and remote testing for vehicles, and what role VSOCs and AI will play in the future of automotive security.
Topics discussed:
An overview of the current landscape of automotive security, and how the automotive industry, which already has a long history of safety initiatives, it's now turning its attention to cyber security.
The standards that are being put in place for automotive companies around the world, and how companies are trying to meet those standards.
Why the automotive industry needs experienced product security practitioners in order to perform effective architecture analysis.
The challenges to performing threat detection and remote pen testing on vehicles, and why threat analysis needs to be as automated and virtualized as possible.
What the future of automotive security looks like, why we'll see a rise in VSOCs, and what role AI will play.

In this episode of the Future of Application Security, Harshil speaks with David Kosorok, Director of AppSec at Toast, a restaurant point of sale and management system. They discuss how to build an application security program from the ground up by prioritizing initiatives, establishing security champions, and bringing in great people — and why gathering and analyzing good data is the foundation to it all. They also discuss how to identify and fix struggles your team may have, why collaborating with product managers is key, and ways in which to positively impact security culture.
 
Topics discussed:
 
How to build an appsec program from the ground up by establishing and prioritizing initiatives, leveraging security champions and ambassadors, identifying resources, and bringing in great people.
The importance of collecting and analyzing data in order to gain clarity and understanding on the current state of security and where to take action.
Why working with product managers is key to building better security programs, and how to build trust and collaboration with others across the organization.
How to identify struggles the team is having in implementing security standards, and how to improve processes through education and vision.
How to impact security culture by increasing transparency through regular open meetings, storytelling, and inspiration.
How David has mentored individuals who went on to join the security community.
The importance of sharing learnings to the security community to increase overall education and awareness.

In this episode of the Future of Application Security, Harshil speaks with Tim Kelly, Director, Security Engineering at Workrise, a technology company with a platform that supports the energy workforce. They discuss the importance of collecting, storing, and analyzing data in order to enhance application security efforts, and how to go about building a data program that does that. They also discuss the ways in which you can use data to inform your security efforts, how to use data to help you inventory and prioritize vulnerability management, how to get to a 100% success rate with data-backed solutions, and what the future of data-driven application security will look like.
Topics discussed:
How Tim's background in experimental psychology and data analytics informs his work as the Director of Security Engineering.
The definition of data engineering and how the practice can apply to application security.
Why data is important for security and how a big part of collecting and analyzing data for its insights is because "you can't secure what you can't see."
How to play into your strengths when building a data program by looking at your current capabilities, including leveraging a business insights team.
How you can use data to determine the efficiency of your vulnerability management program, how to monitor performance, and how to find out where your efforts are producing the most value.
The benefits of using data to inform your security approach, and how to get to 100% success rates with fixes by doing so.
What the future of application security will look like and how teams can integrate more data analysis practices.
 

In this episode of the Future of Application Security, Harshil speaks with Derek Samford, Senior Director of Product Security at Avalara, a company that builds cloud-based tax compliance solutions. They discuss Derek's approach to product security, including how his team uses data to drive visibility, how feedback loops can build maturity, and how they create application grade cards that inform remediation efforts. They also discuss how everyone is invited to contribute to product security solutions, how they create custom training for each new process, and the importance of empathy.
Topics discussed:
How Derek's varied background brought him from network engineering to scalability and performance testing, to field support, to building a security validation team, to today building applications at Avalara from the ground up.
Why empathy is the most important skill you can have in security, and why it allows you to help others do their best work.
How Derek's team practically approaches security, from running the same tools developers do, to having a strong security champions program, to encouraging open feedback.
How Alavara builds collaboration by inviting anyone who wants to contribute to security solutions to be part of the working group.
How Alavara uses data to help them understand what they're protecting, to gain greater visibility, and to unify their processes.
How standardized processes and feedback loops create maturity over time.
The importance of education, and why they create training specific for the organization that focus on "our tools, our processes, and our recommendations around security."

In this episode of the Future of Application Security, Harshil speaks with Jacob Salassi, Director, Product Security at Snowflake, a cloud computing and data management company. They discuss how Snowflake approaches product security — from what they expect engineers and developers to do, to their risk-based reporting — and why Jacob takes a scientific approach to it. They also discuss how Jacob's team creates property graphs to better understand risk flows and what to prioritize, automated threat detection, how they're writing more intelligent detections at scale, and the challenges of big data to product security.
Topics discussed:
How Snowflake approaches product security, including: How they build autonomy for engineers through repeatable processes
How they optimize for business value and not just security outcomes, and 
Why they take a quantitative risk-based reporting approach
Why Jacob takes a "science, not art" approach to product security, and why he defines product security as anything related to the security posture of the service.
The ways in which data- at- scale and disparate data sources prove to be a challenge for threat detection, and why security teams can benefit from pulling together those sources so they can uniformly analyze data across systems.
How Jacob's team created and scaled a repeatable and structured method to risk assess every new feature that's being shipped.
How this method of risk assessment and scoring helps uncover dynamics in their environment, gives developers better prioritization of their work, and enables automated threat detection.
Challenges to the observability problem of who can own and access data, how many people are ingesting APIs, how much it's costing, and other access concerns.
The ways in which they're communicating KPIs and risk posture through live dashboards, and how they're thinking about powering quantitative risk analysis and forecasting through those dashboards.
 

In this episode of the Future of Application Security, Harshil speaks with Helen Oakley, Lead Architect for Software Supply Chain Security at SAP, which develops enterprise software for business operations. They discuss the need for software supply chain security, especially considering how much of software is open source today, and what the current state of adoption is across industries. They also discuss how you can optimize SBOMs and the misconceptions around them, where organizations can start implementing software supply chain security, and why it's needed to protect both infrastructure and human life.
Topics discussed:
What software supply chain security is, and the different considerations — like open source components — that make it a priority for organizations today.
The current state of adoption for software supply chain security, the challenges to adoption, and which industries are on the forefront while others lag behind.
How software supply chain security and SBOMs will evolve, especially considering the need for safety around digitally-connected devices that can impact human well-being.
Some of the misconceptions around what SBOMs offer, and what more has to be done in addition to SBOM implementation to make supply chains more secure.
Advice for organizations looking to get started on or ramp up their software supply chain security approach, which includes improving SBOM quality and automation.
How to be prepared to receive and consume SBOMs from vendors, and what tools to use to analyze that data.
What types of benefits and risks AI will pose for software supply chain security in the future, especially around transparency.

In this episode of the Future of Application Security, Harshil speaks with Steve Springett. They discuss the broad definition of what software supply chain security is, the implementation of SBOMs after the White House's Executive Order, and how organizations can effectively adopt, operationalize, and use SBOMs. They also discuss the biggest drivers for better software supply chain security, why you need to manage more than just vulnerabilities, and how organizations can start chipping away at their software security chain problems.
Topics discussed:
Steve's broadly encompassing definition of software supply chain security.
How organizations scrambled to adopt and operationalize SBOMs after the White House's Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response. 
Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets.
Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions.
What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it.
How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn't negatively impacted by that list.
How machine learning may play a role in better understanding risk across the software supply chain.
Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.