Future of Application Security

In this episode of the Future of Application Security, Harshil speaks with Jason Espone, Global Head — Application Security Engineering | Cybersecurity at C.H. Robinson, the world’s most powerful logistics platform allowing customers to ship goods around the world. They discuss the challenges of addressing tech debt at a 117-year-old company, strategies to manage a vast application portfolio, and the importance of being able to articulate risk to leadership. They also discuss how application security plays a part in business resiliency, and how to think about data-driven application security.
Topics discussed:
Jason's career evolution, from starting as a Java developer, to moving to software configuration management at Motorola Labs, to building and scaling DevSecOps platforms, to becoming the Global Head of Application Security Engineering and Cybersecurity at C.H. Robinson.
The challenges of application security at a 117-year-old company, including how to solve the tech debt that's accumulated over the organization's history.
The importance of not only understanding the risk to your business, but being able to articulate that risk to leadership for better prioritization.
Understanding the landscape of applications by building a portfolio of applications, ranking by risk and other factors, and using a tool like Backstage to manage and prioritize it all.
How C.H. Robinson uses metrics to evaluate each product line and its security posture to create an overall risk score of the organization and improve business resiliency.
Why it's important to have data drive your application security strategy.
What the future of application security looks like, including how security will integrate AI, the rising importance of threat modeling, and why IAM is the future of security.

In this special edition of the Future of Application Security podcast, Harshil speaks with Matt Johansen, Principal Security Architect at Reddit, a community and content-sharing site, and Clint Gibler, Head of Security Research at Semgrep, an open source static analysis tool. Together they discuss how the world of AppSec has changed, including the more widespread adoption of a shift-left mentality, and how more best-in-breed tools are being created for developers today. They also discuss the ways in which you can adopt frameworks and tooling into current workflows, how to meet developers where they are, and how to incentivize practicing good security habits.
Topics discussed:
How the world of AppSec has changed, going from a niche part of a security program to something everyone started focusing on, and how the industry has adopted a shift-left mindset while making more tools available for developers.
How the evolution of frameworks are helping to prevent vulnerabilities and reduce risk, sometimes more so than security tools.
How best-in-breed tooling is moving from generating tickets to be thrown over the fence, to speaking to developers in the language they know.
The current state of in-house security expertise, and why security teams still need to lead with prioritization and the value-add of security, yet are beginning to hire team members who can write code.
How to move security frameworks into the systems developers use everyday — and how do you incentivize developers to adopt those frameworks in the first place.
The ways in which gamification and public dashboards have helped increase security adoption and reward good behavior.
Why it's better to focus on and invest in solving the top vulnerabilities and issues than be sidetracked by the "long tail" of thousands of vulnerabilities that will never get touched.

In this episode of the Future of Application Security, Harshil speaks with Emre Saglam, Head of Security and Compliance at Dremio, a data lakehouse that empowers data engineers and analysts with easy-to-use self-service SQL analytics. They discuss the current state of AppSec, including how to improve security by prioritizing business implications, using frameworks, and having tools "closer to the ground." They also talk about how to structure security teams, how much time you should spend with product teams, what skills are needed for future success, and more.
Topics discussed:
Emre's career evolution in security, from breaking into mailboxes as a kid growing up in Turkey, to starting a Linux group in the 1990s, to working at places like World Bank and Salesforce before becoming the Head of Security and Compliance at Dremio. 
The current challenges of Product Security, including the need for bigger companies to create ways to glue together their disconnections, and why security teams need to prioritize overall business implications and impact.
How security is improving through the use of frameworks and tools that are "closer to the ground," making security easier to scale.
Why security teams should adopt strategies like injecting security across each phase of product development, and why security teams should spend more time with the product team.
How to structure security teams in terms of which skills to hire, how much time to dedicate to the product side, how to keep up morale and motivation, and how to align teams to create secure products for customers.
How security teams can bring attention to areas where they may need more resources, planning, or prioritization, and why alignment with leadership is key.
Why curiosity, questioning intention, being firm, having a Plan B, and good communication are skills that security team members must acquire in order to be successful.
Why the future of product security will be better correlation, deduplication, and few false positives, and how AI will contribute to being able to write better code.

In this episode of the Future of Application Security, Harshil speaks with Mohit Kalra, Vice President of Product Security at Sprinklr, a platform that enables the world's largest enterprises to market, advertise, research, care, and engage consumers. Together, they take a look at the overall management of product security in a SaaS organization that needs to keep a large amount of customer data safe. Mohit's advice includes how to prioritize your product security program, become more aware of your environment, make listening and learning a security process, and other useful tips, tricks, and strategies that any security leader can take and apply to their team today. 
Topics discussed:
How a Product Security leader should think about security maturity,  for more reliable and repeatable actions.
Why it's key to better understand your products and applications before you implement preventative controls.
How to become more aware of what you have in your environment, where to start if you don't know what to secure, and how to create processes for remediation of issues that you find.
How to establish listening as a process, and why it's key in getting to better know your products, teams, and business trajectory.
Why ProdSec is an incremental process and has a problem of prioritization
How to calculate your organization's risk, and why security starts with assessing the needs of the company.
Why the best approach to remediation is to strategically ticket your security backlog, and how to do so in order to make the most progress.

In this episode of the Future of Application Security, Harshil speaks with Derek Fisher, the Head of Product Security at Envestnet, a publicly traded financial technology company that connects people's daily financial decisions with their long-term financial goals. Derek is a highly accomplished professional with an exceptional track record in engineering and information security. With his experience as an award-winning author, speaker, leader, and university instructor, Derek provides valuable insights into the world of application security and risk management.
Key topics discussed:
The step-by-step approach to build a mature application security program.
Utilizing tools like dynamic scanners and software composition for vulnerability management.
Collaboration with product and engineering teams to stay informed about upcoming changes.
Importance of early involvement in the development lifecycle to enhance security.
The role of enterprise architecture teams in the application security process.
Challenges in tracking and responding to development team activities in agile environments.
Resources mentioned:
Derek's book, "The Application Security Program Handbook"
Derek's children's book, "Alicia Connected"

In this podcast episode of the Future of Application Security, Harshil speaks to Cassie Crossley, VP of Supply Chain Security at Schneider Electric, a global specialist in energy management and automation, Cassie is responsible for overseeing the cybersecurity strategy and ensuring the security of the company's products and services. With a wealth of experience from her leadership roles at well-known companies like Ceridian, Hewlett-Packard, McAfee, Lotus, and IBM, Cassie brings a unique perspective and valuable insights to the discussion on software supply chain security.
Key Topics Discussed:
Addressing sophisticated threats in software supply chains.
Integrating supply chain security into CISO priorities.
Focusing on third-party suppliers and open source risks.
Utilizing tools and frameworks like SSDF for supply chain security.
Understanding and evaluating supply chain risks for CISOs.
Developing IoT cybersecurity standards.

In this special episode of the Future of Application Security, Harshil interviews Eric Sheridan, Tromzo’s recently appointed Chief Innovation Officer. Eric shares his 20-year journey in security, from his teenage encounter with Punters (little apps that would flood the target with AIM messages and knock them offline) to developing innovative security technologies at companies including WhiteHat Security (now part of Synopsys). They discuss Eric's experience in building security testing tools, co-founding a company specializing in scanning source code for vulnerabilities, and working on various application security projects throughout his career. The conversation delves into the current challenges and future trends of software and cloud security, emphasizing the need for a holistic approach, the importance of democratizing security, and how to integrate security into the workflows of developers and decision-makers.
Key topics discussed throughout the conversation:
Understanding an organization's assets and the importance of a single pane of glass for visibility.
The role of product security teams in providing guidance and operational support to engineering teams.
The impact of developer-oriented products on security and the future role of application security engineers.
Benefits of automated policy enforcement and integrating security into CI/CD pipelines.
Importance of actionable insights for risk owners to effectively remediate vulnerabilities.
The evolving role of application security teams in the context of democratizing security.
The importance of integrating security products within non-traditional security tooling platforms, such as GitHub, GitLab, Jfrog, and Datadog.

In this episode, Harshil is joined by Martin Nystrom, Vice President Of Product Security at Lumen. 
Lumen is the world’s largest provider of communications, network services, and cloud security solutions. The Lumen platform enables companies to capitalize on emerging technologies and next-gen business applications, offering simplified security solutions that allow their customers to shift their focus from IT to innovation.
 
Topics Discussed:
The future of application security and the implications of security management in a multi-cloud environment
Martin’s advice for product security professionals starting out in the application security space
How OKRs can help differentiate the roles of the CISO (chief information security officer) and CPSO ( chief product security officer)
The similarities and differences between Lumen’s security structure and other traditional organizations
The importance of  incorporating product management capabilities into security 

KnowBe4 is the world's largest integrated Security Awareness Training and Simulated Phishing platform. KnowBe4’s training program is designed to help organizations address their most pressing IT security issues. With proper security awareness training, teams are able to make better security decisions, and help build a strong security culture within their organization.
 
In this episode, Harshil chats with Bradley Petzer, Senior Director of Product Security at KnowBe4. Bradley shares the importance of finding the right balance between compliance and security, and why priority should be given to having true risk management solutions in place. 
 
Topics Discussed:
How application and product security relate to each other, and the importance of skills specialization in either area
Key challenges product security teams are facing today
How to maintain a balance between security and compliance
Building a collaborative relationship between different teams, and leveraging automation to improve team efficiency
How KnowBe4 effectively manages open source vulnerabilities
Bradley’s advice for anyone just starting out their career in cyber security
The advantage of getting cybersecurity certifications 

In this episode, Harshil chats with Emmy Eide, Director of Product Security at Red Hat, a leading provider of open source software solutions that enable enterprises to seamlessly work across various platforms and environments.
Emmy shares how she came to lead the team handling software supply chain security at Red Hat, and gives us a look into what makes for a good software supply chain security program - by utilizing tools, risk management best practices, and implementing security controls to protect the supply chain from threats and vulnerabilities.
Topics discussed:
Why software supply chain security is important
The need to establish partnerships between security and engineering teams to effectively implement security controls within the supply chain
How Red Hat cultivates an open feedback culture between teams to achieve systemic security
How the SLSA framework helps developers secure the supply chain
Determining the scope of the software supply chain and what to include in the SBOM (software bill of materials)
Leveraging how the SSDF (Secure Software Development Framework) drives secure software development and mitigates risks  to the supply chain