Future of Application Security
The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt
Episodes
Wednesday Jul 19, 2023
Wednesday Jul 19, 2023
In this episode of the Future of Application Security, Harshil speaks with Steve Springett. They discuss the broad definition of what software supply chain security is, the implementation of SBOMs after the White House's Executive Order, and how organizations can effectively adopt, operationalize, and use SBOMs. They also discuss the biggest drivers for better software supply chain security, why you need to manage more than just vulnerabilities, and how organizations can start chipping away at their software security chain problems.
Topics discussed:
Steve's broadly encompassing definition of software supply chain security.
How organizations scrambled to adopt and operationalize SBOMs after the White House's Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response.
Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets.
Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions.
What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it.
How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn't negatively impacted by that list.
How machine learning may play a role in better understanding risk across the software supply chain.
Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.
Wednesday Jul 12, 2023
Wednesday Jul 12, 2023
In this episode of the Future of Application Security, Harshil speaks with Prajakta Badhe, Head of Product Security at Origami Risk, which provides risk software to the insurance industry. They discuss how product security is different from application security, the ways in which Prajakta evaluates a product’s risk, and why she always gives context as to why a vulnerability needs remediation. They also discuss the security culture at Origami Risk, three steps for building a robust security program, and where AI will fit into product security's future.
Topics discussed:
The evolution of Prajakta's career, starting as a quality assurance engineer, then leading a team of pen testers at Norton, to now leading product security at Origami Risk.
The difference between product and application, and how they are "two different pillars" of security.
What skills, background, and knowledge Prajakta looks for when hiring for product security.
The two things Prajakta looks at when evaluating a product's risk, and the ways in which to prioritize that risk.
Why Prajakta creates a list of the organization's unique top ten risks and how she uses that list for training purposes.
How to create more meaningful training for developers.
Three steps for building a security program, including establishing a baseline, creating ways to scale, and modernizing as you go.
The reasons why Origami Risk has a strong security culture, and why that's a benefit to all.
What the future of product security holds, including the benefits and challenges of integrating AI-powered tools.
Thursday Jul 06, 2023
Thursday Jul 06, 2023
In this episode of the Future of Application Security, Harshil speaks with Anthony Ungerman, VP Product Security at Avalara, a tax software company. They discuss what product security encompasses beyond application security, how the security team at Avalara works with engineers, and how they articulate business value to increase security implementation. They also discuss security automation, approaches for security training, and what's in store for the future of product security.
Topics discussed:
The evolution of Anthony's career as a "lifelong computer junkie," including how he was introduced to security, and how he learned security by practicing on his kids' web traffic.
How Anthony defines product security, why it's broader than application security, and what it encompasses.
How Avalara's security team works with the engineering team, and how they leverage security champions to implement security initiatives.
How security-mindedness is expanding, from the boardroom to customers, prompted by data privacy regulation like EU GDPR and the edicts from the White House.
How to get more security buy-in by being able to explain how initiatives tie back to business objectives.
A summary of articles Anthony wrote about how to automate application security programs.
What types of training they're offering to ramp engineers up on security best practices — and what consequences are in place if they don't complete training.
How the future of product security will be shaped by privacy regulations, generative learning, and all-encompassing dashboards.
Wednesday Jun 28, 2023
Wednesday Jun 28, 2023
Tanya Janca, Founder of We Hack Purple, and Eric Sheridan, Chief Innovation Officer at Tromzo, join us for a special episode of the Future of Application Security Podcast. This episode was originally recorded as a LinkedIn Live on June 25, 2023.
Tanya and Eric discuss how understanding the context in which applications operate is crucial for effective AppSec prioritization. You don't want to miss this insightful session to uncover how to choose AppSec priorities based on software supply chain security, code-to-cloud business context, and metrics. Let's empower organizations to strengthen their Application, Product, and Cloud Security practices and stay ahead of emerging threats.
Topics discussed:
The significance of software supply chain security and the importance of preventive controls that integrate security policies throughout the SDLC.
How code to cloud business context emphasizes the need to consider various business models, ownership structures, and how they influence security requirements.
Where leveraging metrics effectively can enhance an organization's AppSec posture and mitigate risks.
Wednesday Jun 21, 2023
Wednesday Jun 21, 2023
In this episode of the Future of Application Security, Harshil speaks with Joe Basirico, Senior Director of Product Security at Highspot, a sales enablement platform. They discuss how product security's evolution has increased its focus on relationships and trust-building, why security is like fixing a leaky faucet, and how to prioritize for more efficiency and impact. They also discuss where product security is going and how AI will help it get there, the elements for security at scale, and how to better collaborate with developers.
Topics discussed:
Why Joe "fell in love with security" and how his career evolved from developer to pen test to trainer, back to developer, and now to leader of a product security team.
How product security has shifted to building trust and relationships among teams and customers — and why you should hire for hard and soft skills like empathy.
Why security is like a leaky faucet, and why you should turn off the tap — or, fix the influx of vulnerabilities — before you spend time cleaning up the mess.
How to prioritize what to focus on first, and why execution trumps prioritization when it comes to getting stuff done.
What Joe does to make developers more successful through collaboration and solving problems together.
The three elements Joe considers key for security at scale: awareness, enablement, and detection.
The ways in which Joe and the security team distribute knowledge across the organization, including "hijacking October" for talks during Cybersecurity Awareness Month.
What the future of product security will look like, and how AI tools will play a role in shaping it.
Wednesday Jun 14, 2023
Wednesday Jun 14, 2023
In this episode of the Future of Application Security, Harshil speaks with Mike de Libero, Director of Product Security at iHerb, an online health and wellness shop. They discuss the ways in which automation helps lighten the workload and creates more consistency, when you need to hire someone for security automation, and what to look for when scaling visibility. They also discuss how the role of product security has evolved, the benefits and drawbacks of today's tools, and how to build more effective remediation.
Topics discussed:
How to implement automation to lighten the load of product security engineers and to create a more consistent experience for everyone.
What to look for and what questions to ask in order to scale your visibility.
How to know if it's the right time to hire someone for security automation — and why you should borrow someone from the dev team first.
How product security has changed over the years, including its shift from testing and finding issues to building libraries, controls, and frameworks to help dev teams push code out quicker.
How to group classes of security issues in order to streamline remediation, and how Mike's team went from 1900 tickets to 30 with this practice.
How Mike's background as a programmer gives him more understanding and empathy in his role as Director of Product Security at iHerb, LLC.
What Mike learned about product security at different companies in the past, including Salesforce, Microsoft, Uber, and Unity.
Wednesday Jun 07, 2023
Wednesday Jun 07, 2023
In this episode of the Future of Application Security, Harshil speaks with Warren Kopp, Application Security Consultant at Coalfire, a cybersecurity advisor. Together they discuss how better application security involves building relationships with the people behind the processes, and why skills like communication, collaboration, and an understanding of psychology are keys to moving forward security initiatives. They also discuss the increasing availability of security training today, how to think more aggressively about security, and why the future of AppSec will focus on expansion.
Topics discussed:
How Warren "backed into technology" after getting a degree in animation, and his experiences inside an enterprise software company before becoming a consultant with Coalfire.
Why security isn't just a technology problem and how you need to find the people behind the processes, get to know their struggles, and compromise in order to build great AppSec initiatives.
Why one of the key skills any security person can have is communication, and why clearly articulating business impact can help with getting buy-in.
The need for not just training in hard security skills, but in soft skills like communication and psychology in order to meet people where they are and better understand their needs.
How to look for opportunities for collaboration in your organization, and why it's key to talk to others (over the phone or over lunch) and build your network.
How teams can leverage automation, and why you need to think more aggressively about AppSec in order to open up new opportunities.
The current state of AppSec, and the growing availability of training and information-sharing through more informal channels like YouTube that can increase impact and reduce struggle.
Why the future of application security involves teams being more aggressive, more iterative, and growing quicker.
Wednesday May 31, 2023
Wednesday May 31, 2023
In this episode of the Future of Application Security, Harshil speaks with Ariel Shin, Senior Product Security Engineer at Twilio, a company that provides businesses the tools to connect with customers through automated messaging. Ariel shares the story of how she implemented a democratized, centralized vulnerability management program at Twilio, which included conducting interviews to gauge the current state of vulnerability management, designing a new process that got everyone on the same page, getting buy-in by going on a roadshow across the company, and how they're currently managing the program after rollout.
Topics discussed:
Ariel's journey through Twilo's acquisition of Segment, going from a culture of a few hundred developers to a few thousand building many different projects.
How Ariel designed and implemented a democratized, centralized vulnerability management process by getting buy-in from security, engineering, and leadership, and socializing the process.
The importance of a centralized vulnerability management process to reduce confusion and easily see all vulnerabilities in one place, and how to make risk everyone's responsibility.
How, in order to uncover problems to address, Ariel interviewed security team members, developers, engineers, and other stakeholders, and created a flowchart of the current state of vulnerability management.
The necessity of approaching security holistically, and not thinking about security just in terms of the industries or silos created in an organization.
Identifying the pain points of an organization's security approach, and how to use those pain points to articulate the change needed for an organization.
How Ariel rolled out the new vulnerability management program through a roadshow across the organization, articulating what the changes were and how they improved security to increase buy-in.
How Ariel and the security team created three dashboards so stakeholders could better understand their security posture: one for ticket triage, one for engineers to understand the tickets, and the third for leadership.
Wednesday May 24, 2023
Wednesday May 24, 2023
In the ever-evolving landscape of application security, organizations face the challenge of effectively scaling and growing their AppSec programs. On this episode of the Future of Application Security podcast, Harshil Parikh interviews Ty Sbano, the CISO of Vercel, who brings years of experience and expertise in the field of cybersecurity. During their conversation, Ty and Harshil shared their valuable experiences and learnings from scaling AppSec programs in small and large organizations. They also address topics such as gaining visibility into software artifacts, asset ownership and responsibility, and identifying critical tools for the business.
Topics discussed:
The importance of having a comprehensive understanding of software artifacts to ensure their security
How collaboration between development teams, security teams, and asset owners can help foster a proactive approach to addressing vulnerabilities and mitigating risks.
The shift from first-party code to third-party code
Who owns the code and how are they taking accountability for what is shipped
How organizations can conduct regular assessments and evaluations to identify which tools are truly important to the business and prioritize their investments accordingly
To learn more about scaling and growing AppSec programs, we highly recommend listening to the full episode.
Wednesday May 17, 2023
Wednesday May 17, 2023
In this episode of the Future of Application Security, Harshil speaks with Sri Pulla, Director, Application Security at Cloudflare, a company that wants to "build a better internet" through its cloud platform of network services. They discuss how Cloudflare protects its products, uses risk scoring for prioritization and decision making, and why the engineering team must answer a security questionnaire before each deployment. They also discuss how to better collaborate across teams — engineering, privacy, compliance, and legal — and how Cloudflare is moving to a centralized team model to better scale their security.
Topics discussed:
The evolution of Sri's career, including her background as a software engineer, how she's been at "the right place at the right time" to help big companies rebuild apps after data breaches, and how she joined Cloudflare as the Director of Application Security.
Why Cloudflare is moving from a decentralized model where security engineers were embedded in product teams to a centralized model so security can scale better.
How AppSec fits into the SDLC, and how before each product is shipped, the review process includes a security questionnaire about the changes being deployed.
How Cloudflare defines a product, how they use risk scores to determine which products to prioritize, and how they're integrating more data privacy.
Why the future of AppSec will be found in collaboration, and how the security team and engineering team can support one another.
How security teams need to be prepared for a future where the cloud is here to stay, and how to sustain a model where products are secure even after deployment.
What skills Sri looks for when hiring, which includes some kind of programming or products background that can help build empathy with software engineers.
Your Title
This is the description area. You can write an introduction or add anything you want to tell your audience. This can help potential listeners better understand and become interested in your podcast. Think about what will motivate them to hit the play button. What is your podcast about? What makes it unique? This is your chance to introduce your podcast and grab their attention.