Future of Application Security

The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt

Listen on:

  • Apple Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • iHeartRadio
  • PlayerFM

Episodes

Wednesday Jan 18, 2023

In this episode, Harshil is joined by Naomi Buckwalter, Director of Product Security at Contrast Security. Contrast Security is an application security platform that helps developers and security teams write secure code and protects business applications against targeted cybersecurity attacks. The Contrast platform is able to effectively identify actual vulnerabilities from false positives, resulting in faster remediation.
With more than two decades of experience in IT and Security, Naomi shares some tips on how to run a product security program, how to build a diverse team, and how to refine the hiring process to empower managers to choose the right candidates.
Topics discussed:
How Naomi came to lead the product security team at Contrast Security
The story behind Cybersecurity Gatebreakers, Naomi’s nonprofit foundation advocating for and supporting the next generation of cybersecurity professionals
The supposed talent shortage in cybersecurity,  and the challenges in finding and hiring the right talent
How to choose the right questions during an interview and what to prioritize during the hiring process
Naomi’s LinkedIn course that’s providing valuable educational content on how to be better security leaders
Naomi’s book recommendation for cybersecurity leaders
How to come up with a reprioritizing plan to counter the effects of a workforce reduction

Thursday Jan 05, 2023

Technology has been growing by leaps and bounds but most supply chain processes for shipping, storing, and trading goods have remained fragmented. Flexport is the first to connect the entire ecosystem of global trade, empowering buyers, sellers and logistics providers to grow and innovate. Flexport’s platform sets a new standard for global trade by simplifying supply chain management.
In this episode, we are joined by Kevin Paige, CISO at Flexport. Kevin utilizes his two decade long work experience in IT and security to help the company streamline and optimize business processes, mitigate risks, and accelerate growth by aligning IT initiatives with broader company goals. 
Topics discussed:
Kevin’s work background and how he shifted from being in the military handling physical security, working as a security consultant for the government,  to his current role at Flexport
His thoughts on the complexities of the CISO role and the trend of assigning CIO responsibilities to CISOs
How to strategize, plan, and make data driven decisions in the world of security
How application security has evolved and what the future will look like
The skills  that every good product security person should have
The process Kevin’s security team follows in doing quarterly business reviews

Wednesday Dec 14, 2022

Unqork is a no-code application platform that helps large enterprises rapidly build complex custom software by completely removing the usual development challenges of a traditional code-based approach.
In this episode, Harshil chats with Unqork’s Chief Information Security Officer, Daniel Wood, to learn more about how he’s helped build and scale the company’s product security program.
Daniel has more than a decade of experience in cybersecurity having worked as an information security analyst, and lead security engineer in previous roles.
Topics discussed:
Daniel’s career journey and his transition from risk-based security work, to technical security engineering, consultancy, and corporate security work
Changes Daniel implemented after joining Unqork, and how he chose what security aspects to prioritize and invest in
Leveraging the OpenSAMM or BSIMM model to guide security investment decisions
Unqork’s goal of building product security features to reduce friction between the engineering and security teams
How to drive the adoption of security initiatives across an organization
How Unqork handles code ownership, architecture review processes, and threat modeling
Unqork’s maturity roadmap for the future

Wednesday Nov 30, 2022

Those in IT, DevOps, and SecOps are all too familiar with the demands of a complex and dynamic technological landscape. For more than two decades, SolarWinds has helped technology professionals and organizations manage and adapt to an ever-expanding ecosystem of IT applications and infrastructure. 
In this episode, Tim Brown, Vice President of Security at SolarWinds, gives us an insider view of the 2020 cyberattack where hackers slipped malicious code into the company's popular network management system and software program, Orion.  He shares how his team worked tirelessly to resolve the breach, and how this incident  has brought light to the software supply chain security issue and has helped strengthen the whole security industry. 
Topics discussed:
Tim’s perspective on the dependence of security maturity on engineering process or development process maturity 
How the SolarWinds team handled the 2020 breach
The importance of creating SBOMs for every application and learning to utilize the data to protect against security vulnerabilities
Tim’s advice for security leaders working with a supply chain
What supply chain security will look like in the next few years
Links:
SolarWinds hack explained: Everything you need to know
SolarWinds breach: Lessons Learned & Practical steps

Wednesday Nov 09, 2022

Chime, one of the fastest growing players in the financial technology space, has a mission of providing financial stability for their customers by eliminating many of the issues that come with traditional banking.
In today’s episode, Mukund Sarma, Director of Product Security at Chime, shares how he helps his team address the challenges in building security programs, and maintaining a solid and proactive security culture within the company.
Topics discussed:
How Mukund got started in cybersecurity.
His experience in building application security programs for FinTech companies. 
Different approaches in risk mitigation in FinTech, product security, and application security.
What product security is and how its definition differs from company to company.
What skill set Mukund looks for when hiring engineering and security teams.
How Chime’s internal Rails application, Monocle helps their team with strategic engineering and security decision making.
Why Mukund opted for a gamified approach for their security processes.
Why Mukund's team decided to integrate GitHub badges within Monocle.

Wednesday Oct 26, 2022

Pegasystems’ Pega Platform is a powerful low-code platform for AI-powered decisioning and workflow automation. The platform makes it easier for enterprises to work smarter, unify experiences, and quickly adapt. As a publicly traded company with a multi-billion dollar market cap,  more than 6,000 employees, and a global customer base, security is critical to the success of the company. 
In this episode of the Future of Application Security podcast, Harshil speaks to Pegasystems’ Director of Application Security, Tejpal Garhwal to learn about how Pega approaches AppSec. With a strong software development background and deep expertise in Application Security, Tejpal has spent his career managing multiple security and dev teams and setting the direction for information security application architecture, policy and processes within the organization.
Topics discussed:
Tejpal's career transition from Software Development to Application Security
Tejpal’s 30-60-90 day strategy in strengthening and standardizing security processes and building a secure SDLC
The benefits of shifting left and developing a good security culture mindset 
Management and optimization of an application security operation on a large scale
How Tejpal encourages collaboration between the security and development teams
Using quality security gates/guardrails/etc. to ensure code integrity
Tejpal’s thoughts on the future of application security

Wednesday Oct 12, 2022

FullStory’s mission is to equip organizations with the information they need to deliver perfect digital experiences. To deliver on that mission, their platform captures customer experience data based on understanding browser interactions. In order to capture that data, it must have a position on the end user’s browser which requires a high level of customer trust. 
To ensure its service is delivered securely and that trust is maintained, the company has devoted significant resources to developing a robust Product Security Program. 
On today’s episode of the Future of Application Security, Harshil speaks with FullStory’s VP of Product Security and Compliance, Mark Stanislav to learn more about how the company has approached building and scaling its Product Security Program. 
Topics Discussed: 
How Mark defines Product Security.
Why FullStory runs maturity models every quarter. 
How to use maturity models to demonstrate your Product Security Programs progress and justify further investment. 
Why shifting-left is critical for all teams looking to scale their Product Security Program.  
How FullStory built a culture of engineers who love security.  
What most get wrong about vulnerability and risk management.
Why Product Security teams need to own the triaging and prioritization.

Wednesday Sep 28, 2022

The pace of software development has increased dramatically over the past ten years and the traditional approach to application security has struggled to keep up. With modern development going from code to cloud within hours, manual security checks and  code reviews run the risk of slowing down releases and creating more tension between developers and security teams. 
To reduce this friction, organizations are shifting from the traditional application security approach to a more modern approach where security policies and controls are embedded in developer workflows. 
To learn more about this shift, in today’s episode of the Future of Application Security, Harshil speaks to Daniel Harvey, an industry veteran with more than 13 years in AppSec. Most recently, Daniel was the Director of Product Security at InVision. Prior to InVision, Daniel worked on AppSec teams at organizations including Clayton Homes, Citi, Elavon, and Discovery. 
Topics Discussed: 
Daniel’s shift from application security to product security 
The importance of building default security features within a product 
How to make product security a business enabler 
The key changes in the application security landscape
How to build the relationship between security and development and how to find balance in collaboration
The need to map and tie code ownership to identity management systems
 

Wednesday Sep 14, 2022

Stripe is the most valuable private startup in the United States with a market valuation of more than $95 billion. With more than 2 million customers spread across 46 countries and nearly 10,000 employees, the scale of Stripe is hard to fathom. To retain its position as the market leader, Stripe must continue to rapidly ship new products while at the same time ensuring those products are secure. 
 
To learn more about how Stripe has scaled their AppSec Program to keep up with the pace of development, in today’s episode, Harshil speaks with Stripe's Application Security Manager, Rajat Bhargav. Prior to joining Stripe in 2021, Rajat worked as a software engineer at Citi and Monsanto before transitioning to security where he has worked on AppSec teams at companies like eBay, Walmart, Netflix, and Twitter. 
Topics Discussed: 
 
How to get developers engaged and interested in security (based on Rajat’s experience as a developer). 
How Stripe uses context to help developers prioritize the vulnerabilities that actually matter. 
How secure-by-default/security guardrails makes it easier for developers to not have to think too much about security. 
Three pieces of advice for up-and-coming AppSec professionals and leaders. 
Resources mentioned: 
Scaling Appsec at Netflix 
Locomocosec.com

Wednesday Aug 24, 2022

Thirty Madison is a healthcare technology company that offers direct-to-consumer healthcare and wellness products for people living with chronic conditions. Founded in 2017, the company has raised over $200 million in funding and has more than 400 employees. 
As a healthcare company with millions of customers, Thirty Madison has the responsibility of holding their customers' most personal information. Keeping this highly sensitive data secure is mission critical to their business. A single breach could jeopardize their reputation and ruin their relationship with their customers. 
To ensure their customers and employees are secure, Thirty Madison brought on Anshuman Bhartiya to put in place a Product Security program that is capable of keeping up with the rapid growth of the company. In today’s episode, Anshuman joins Harshil to talk about the lessons learned as he built their Program Security program from scratch and the tactical advice he has for others who find themselves in a similar position. 
Topics:
How to decide what problems and risks to prioritize when you are first building a product security program.
Questions to ask executives and co-workers as you begin building your product security program. 
How Security Guardrails can influence developers to build secure code from the beginning and how to actually make that happen. 
Anshuman’s favorite Security Guardrail he’s implemented. 
A lightweight approach to building and securing your SDLC. 
#1 piece of advice for someone who is just beginning their product security journey. 

Image

Your Title

This is the description area. You can write an introduction or add anything you want to tell your audience. This can help potential listeners better understand and become interested in your podcast. Think about what will motivate them to hit the play button. What is your podcast about? What makes it unique? This is your chance to introduce your podcast and grab their attention.

Copyright 2022 All rights reserved.

Podcast Powered By Podbean

Version: 20241125