Future of Application Security
The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt
Episodes
Wednesday Aug 03, 2022
Wednesday Aug 03, 2022
The resounding sentiment from organizations is that there’s major tension between development and security teams. This tension makes it nearly impossible for any AppSec program to scale, making reducing this friction mission critical.
To learn how to improve the relationship between developers and security, on today’s episode of the Future of AppSec Harshil speaks with Dustin Lehr, Director of Application Security at Fivetran, a Forbes Cloud 100 company that helps companies improve the accuracy of data-driven decisions by continuously synchronizing data from source applications to any destination, allowing analysts to work with the freshest possible data.
Dustin is an accomplished software engineer turned information security leader. Having spent more than a decade as a software engineer, his diverse background and experience has helped him forge close partnerships with development teams, engineering teams, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work.
His approach focuses on communicating the importance of security, instilling a sense of urgency, and motivating the organization to shift their mindset toward “Security by Design” best practices, quality focus, and technical responsibility.
Topics:
How Dustin’s background in software engineering influenced how he approached building Fivetrans AppSec program.
Why empathy is critical to improving the relationship between developers and security teams.
The importance of having an engaged and gamified Security Champions program.
Key challenges AppSec teams will face in the coming years and how they can prepare for the future.
Why Dustin created the “Let's Talk Software Security” community.
Resources:
Dustin’s “Let's Talk Software Security” Slack community: https://join.slack.com/t/letstalksoftw-64x2506/shared_invite/zt-t3e59aj9-5zNThhcrj4TCd4HJwAoDZA
Dustin’s current book recommendation: Actionable Gamification: Beyond Points, Badges, and Leaderboards
Harshil’s conference talk: Democratizing Security: A Story of Security Decentralization
Wednesday Jul 20, 2022
Wednesday Jul 20, 2022
Databricks is responsible for massive amounts of data for more than 7,000 customers worldwide including more than 40% of the Fortune 500. This means security is mission critical and the stakes are incredibly high. To keep their customer data secure, Databricks has put major focus into building both their product security team and strategy. In January, their team had just two members and today, there are 11 with many additional roles ready to be filled.
To learn more about how Databricks approaches product security, Harshil speaks with the person leading the companies efforts — Mrityunjay Gautam, Databricks Global Head of Product Security.
Topics discussed in the episode:
The difference between application security and product security.
The skill matrix Mrityunjay uses in assessing skill sets of the people who join their product security team.
His recommendations on training programs and valuable resources for those starting their career in product security.
The three most common challenges in product security and how they can be overcome.
Understanding the difference between product threat models and deployment threat models.
How Databricks thinks about threat modeling given their incredibly complex environment.
How Databricks built a highly engaged group of security champions.
Strategies Databricks uses to cut down time spent on product security processes and workflows.
Resources mentioned:
Technical books: https://nostarch.com/
Wednesday Jul 06, 2022
Wednesday Jul 06, 2022
Three years ago LinkedIn had no vulnerability management program in place. Today that’s a completely different story. Over the past three years, they built their program from scratch and rapidly scaled to keep their 25k+ employees and 800 million users safe and secure.
How did LinkedIn achieve this scale so quickly and what lessons were learned along the way? On today’s episode we speak with Justin Anderson — LinkedIn’s Head of Vulnerability Management who was tasked with building out the company’s program. Justin’s experience spans the US Air Force and MITRE offers a unique perspective on what it takes to overcome the challenges of scaling a security program.
Topics discussed in this episode:
What Justin and his team prioritized as they began building LinkedIn’s vulnerability management program.
How the scalability challenges Justin faced in the military prepared him for the challenges of scaling LinkedIn’s vulnerability management program.
How to incentivize developers to take security seriously and create a win-win for developers and security.
Why Justin is skeptical of the traditional security champions program model and what he recommends teams doing instead.
How security is evolving and what Justin believes security teams of the future will look like.
Tuesday Jun 14, 2022
Tuesday Jun 14, 2022
Credit Karma is expanding rapidly and a huge focus for them is having a truly agile engineering team. Application security has also been a focus and their ratio of appsec engineers to developers is 1-:50 which is one of the industries best ratios.
In their movement to success, today's show shares exactly how Credit Karma’s Director of Application Security Chaitanya Bhatt has tackled modern application security. Chaitanya’s perspectives and expertise come from his first-hand experience in leading security teams at organizations including eBay, AppDynamics (acquired by Cisco), and Autodesk.
Key Findings:
How enforcing security policies earlier in the software development lifecycle can make security easier for developers.
How to build an AppSec program that's capable of keeping up with the pace of software development.
Why having an embedded partnership model between application security engineers and developers is critical — and how to logistically manage making this a reality.
What most organizations get wrong with their security champions programs and how to make your program more impactful.
How to incentivize developers to invest their time and effort into security-related tasks.
Why shift-left is not enough, where building security-as-code comes into play.
Resources: Episode mentioned — Travis McPeak: Securing the Modern SDLC with Security
Tuesday May 31, 2022
Tuesday May 31, 2022
This modern SDLC has really exacerbated the fractured relationship between developers and security. Often security is frustrated that developers cannot deliver on their laundry list of asks, and in turn, developers are sick of the legacy application security ways that slow down progress.
To scale at the speed of DevOps, organizations have to eliminate this friction and improve the relationship between developers and security.
Our guest today is Allan Swanepoel and during this episode, he’ll teach us exactly how we can do that by bringing the power of automation to your application security program. Allan has a deep understanding of both sides of this issue — for many years he was on the development side before moving over to security after observing the lack of automation that existed in security workflows and processes.
Topics discussed in this episode:
Why organizations need to embrace a policy-driven prioritization approach to managing security.
Why eliminating the friction between developers and security begins with culture.
How security teams can get developers to adopt and use security tools.
Why organizations hiring security engineers only to have them handling things like Jira tickets is a tremendous waste of talent and resources.
How to build an automation mindset within your security team.
How security teams can balance automating key workflows with the normal day to day fires.
Security lessons from Allan’s time focused on infrastructure-as-code and infrastructure automation.
Additional resources:
Lessons from integrating third party library scanning in DevOps workflow - AppSecUSA 2018 (Keynote that Harshil referenced in the episode).
Monday May 16, 2022
Monday May 16, 2022
Developers today go from code-to-cloud in a matter of hours and security teams are struggling to keep up. Legacy AppSec systems and processes are impeding their efforts to scale their AppSec program and the majority of security teams feel unprepared to govern and secure the modern SDLC.
To solve this problem, organizations must rethink their approach to AppSec. Instead of trying to force developers to learn another skill set (security), adopt new tools or slow down development, AppSec teams must focus on security policies in developer workflows. Our guest today will teach us exactly how to make that happen.
Travis McPeak is the co-founder and CEO of Resourcely.io which he founded after more than a decade of experience in cybersecurity, working at organizations including Netflix, IBM, and Symantec. In addition to his work as a practitioner, Travis is an active startup advisor and an angel investor, backing startups including Authzed, DevZero, Monad, Truffle Security, and more.
Topics discussed in this episode:
How to make security easy for developers and the tangible benefits organizations see when they are able to do so.
Lessons learned when developers make security part of the SDLC.
How automating security policies and controls provides developers an easy path towards prioritizing security.
What inspired Travis to move from a security leader to startup founder.
Why teams with smaller budgets should avoid building and maintaining their own solutions and should instead look for solutions that solve 80% of their problem.
Why software tools created by those who haven’t had first-hand experience with the problem their software solves fail to meet the needs of security teams.
Tuesday May 03, 2022
Tuesday May 03, 2022
To build a high-performing security team, organizations must rethink how they approach recruiting, hiring, and retaining talent. The problem is, building a great team is incredibly challenging today. With an estimated 400,000 unfilled security jobs, security teams are understaffed, burnt out, and struggling to keep up with an ever-increasing number of cyberattacks each day. Our guest today teaches us exactly what security leaders can do to overcome these challenges and build a high-performing security team. Caleb Sima is the Chief Security Officer at Robinhood. He’s spent more than 20 years in cyber security following the unconventional path of spending his early years as a founder before transitioning over to the operations side and leading security teams at organizations including Databricks, HP, and Capital One. This unique journey provides Caleb with a unique and interesting perspective that every security leader can learn from.
Topics Discussed:
What incentivized Caleb to transition from a company founder to an operations leader — making the translation from an “arms dealer to a soldier on the battlefield”.
How Caleb's experience of building (and selling) his own startups shaped how he approaches being a CISO.
Why security teams need to think about other internal departments as their customers.
How to know when it’s okay to let fires burn and how to communicate this decision with other leaders at your organization.
Why outsourcing your number 1 priority of recruiting to someone else is a recipe for disaster.
Lessons learned from building the security team at Robinhood — bringing on 100+ new security people in less than a year.
How to instill a culture that believes hiring, talent, and people are important.
Why security leaders need to focus on building a hiring pipeline.
How take a data-driven approach to hiring and why time-to-hire is such an important metric to focus on.
Tuesday Apr 19, 2022
Tuesday Apr 19, 2022
Most people think about threat modeling as an extensive, costly and heavyweight exercise. But what if it didn’t have to be? What if threat modeling could be as easy as asking and answering a few simple questions?
In today’s episode, we speak with Adam Shostack about his simple four-question threat modeling framework. Adam’s framework was developed based on 20+ years of threat modeling experience ranging from startups to more than a decade at Microsoft. He believes deeply that organizations must rethink their approach to threat modeling. In this episode, Adam walks through his framework and teaches us how we should all be approaching threat modeling.
Topics discussed in this episode:
Why threat modeling shouldn’t only be for organizations with large teams of application security engineers.
How to bridge the gap between the security team focused on threat modeling and the development/engineering team.
How security engineers can support and train their developers on how to incorporate threat modeling into their day-to-day work.
Where threat modeling should fit into your application security program priorities.
The surprising benefits that threat modeling brings — outside of knowing the risks that exist.
How most organizations let perfect be the enemy of good (and what they should be doing instead).
Resources Mentioned:
Shostack white paper — Fast, Cheap, and Good
Shostack 1 minute educational clips on Youtube
Showstack threat modeling resource
Wednesday Apr 06, 2022
Wednesday Apr 06, 2022
CISOs have one of the most unique views of an organization.
Being in charge of teams that are under enormous pressure to ship, deliver, and sell security goes beyond an effective management.
Michael Piacente is the co-founder and managing director of Hitch Partners and he has been helping the CISO community for several years.
In today's show, he shares his insights about the patterns that most successful CISOs have in common.
Topics discussed in this episode:
The attributes and skill sets of a great CISO.
What Hitch Partners does and Michael's professional journey.
Suggestions for aspiring CISO that want to gain exposure and visibility.
The importance of partnering with the technical and non-technical part of the business.
Keys to retaining and engaging top talent.
Tips on how to structure the interview process.
Why building a personal brand is very important for the CISO career path.
What Hitch Partners CISO Survey is all about.
Tuesday Mar 22, 2022
Tuesday Mar 22, 2022
In this first episode, NextRoll’s Product Security Lead Nicolas Valcarcel shares how since he was 15 he wanted to work in security. However, his career path has been far from conventional.
By being part of developer teams in early-stage startups and working hand to hand with founding teams, he has been able to get a grasp on how developers and security teams see the same product in very different ways, and the common friction points that come from their interactions.
In this episode, Nico shared his experience and taught us his secret sauce: Advocating for engineering in the security team and advocating for security in the engineering team.
Topics discussed in this episode:
Nico's background and how he landed in the application security field.
How developers and security people think differently.
How to make developers embrace security values.
How to approach proof of vulnerability requests.
The importance of integrating decision makers in product and application security.
Advice for AppSec managers to build strong relationships that work for both, security and engineering teams.
What critical skills you need to build an ideal AppSec team.
Keys to success in operating a Security Champions program.
3 Pieces of advice for leaders that want to build and scale an AppSec program.
Your Title
This is the description area. You can write an introduction or add anything you want to tell your audience. This can help potential listeners better understand and become interested in your podcast. Think about what will motivate them to hit the play button. What is your podcast about? What makes it unique? This is your chance to introduce your podcast and grab their attention.