Future of Application Security

In this episode of the Future of Application Security podcast, Harshil speaks with Abdullah Munawar, Director of Product Security at Appian. Abdullah shares valuable insights into his journey from security assessments and consulting to leading product security efforts, discussing the evolving challenges and strategies for building effective security programs in modern development environments.  He discussed the importance of evolving security practices beyond identification to implementation within organizations, including the need for a holistic approach to product security and focusing on high-priority vulnerabilities. Abdullah also explains the challenges of maintaining data quality in AI companies.  Topics discussed: The transition from consulting to in-house product security and the importance of hands-on experience in understanding the challenges of implementing security fixes and mechanisms. Defining the scope of product security in the context of decentralized development practices and the shift towards "you build it, you manage it" approaches. The changing role and structure of product security teams to address the full stack of security concerns, from architecture and automation to traditional AppSec tasks. Strategies for driving remediation and adoption of security practices, including leadership buy-in, targeted automation, and empathy-building initiatives like security champion programs. Emerging challenges in product security related to AI and data management, such as data poisoning, segregation, and unintended leakage.

In our latest episode of the Future of Application Security podcast, Nat Mokry, VP of Application & Product Security at Xbox (formerly of Activision Blizzard at the time of recording), shares valuable insights into the world of application security, from the mission of defending player trust to emphasizing the importance of technical skills in cybersecurity.  Nat provides guidance on building effective security teams and navigating the evolving challenges in the industry. Topics discussed: Earning and defending player trust as a guiding principle of business and strategies for making mission statements actionable. Building and structuring a diverse security team, and the challenges faced by appsec teams in the current landscape. The concept of the "piggy bank of trust" in security relationships that Nat says helps him and his team remember that people skills are important too. Balancing technical expertise and security knowledge, depending on what your data is telling you.  Having the humility to ask questions and not have all the answers. The difference between solving problems for people and minimizing the chances of them doing something wrong. 

In this episode of the Future of Application Security podcast, Harshil interviews Felix Matenaar, Head of Product Security at Asana. Felix shares insights into his journey from Germany to Silicon Valley, where he transitioned from mobile security to leading Asana's product security efforts. The conversation highlights Felix's experience in creating security frameworks that eliminate vulnerabilities by building secure product lifecycles and ensuring alignment with business objectives. His approach integrates rigorous security measures directly into the development process, reflecting Asana's commitment to robust, proactive security. Topics Discussed: Felix discusses his transition from software engineering to product security and his strategic move from Google to Asana. Strategies for integrating security seamlessly into product development to enhance safety without compromising functionality. How effective security practices can accelerate business processes and foster trust with users. The importance of collaboration across different organizational functions to ensure comprehensive security coverage. The role of leadership in fostering a security-centric culture within tech companies. Insights into upcoming challenges and innovations in the field of application security.

In this episode of the Future of Application Security, Harshil speaks with Steve Lukose, Vice President of Security at Clari, about how security is becoming a business enabler rather than just an organization.  Steve explains why SLAs will become one of the benchmarks for security experts to use, but that it won't necessarily be for all aspects of security. Still, they'll be a great tool to help security organizations plan ahead for their next steps.  They also discuss the importance of cross functional collaboration, why your team should build relationships outside of the group, and how regulatory bodies are driving change.  Topics discussed: The importance of building relationships within your team and outside of it. Why SLAs will become a benchmark for security leaders to use for planning their next business steps. How security leaders can work with their teams, partners such as engineers, and stakeholders to make sure they stay on track and keep focus. How product managers can help facilitate projects by understanding what each stakeholder needs. How security transcends barriers by becoming a business enabler, shifting from a restrictive function to one that supports and enhances organizational objectives and growth. The importance of cross functional collaboration. How scrutiny from regulatory bodies such as the SEC is driving change.

In this episode of the Future of Application Security, Harshil speaks with Aruneesh Salhotra, CEO and Fractional CISO, SNM Consulting Inc. They discuss the unique challenges and opportunities of application security in the financial sector, including how the "necessary evil" of regulations is increasing accountability around security efforts. They also talk about the need for more vigilant software supply chain security, two better approaches to vulnerability management, and how AI can create self-sufficiency among developers. Topics discussed: The "necessary evil" of regulations and how they're increasing accountability around data storage, pen testing, and more. Two approaches security teams can take to better manage application vulnerabilities: a call graph and runtime SCA. What your attack surface is and how to effectively manage it. The increasing importance of software supply chain security and the value of establishing an open source program office. Why security should be everyone's job and how adopting security today will bear fruit tomorrow. How AI can increase developer self-sufficiency by giving feedback and insights on security actions.

In this episode of the Future of Application Security, Harshil speaks with Christine Gadsby, VP, Product Security at BlackBerry, a software company specializing in cybersecurity. They discuss the new initiatives driving software transparency, like SBOMs and VEX, and how adoption will not only come from regulations but from companies holding their software suppliers more accountable. They also talk about the need for better telemetry practices and more connected tooling and how security professionals can get involved in industry change and mentorship. Topics discussed: The important role frameworks like NIST 800-218 and CISA's Secure By Design will play in establishing standards. The ways in which SBOMs and VEX are driving software transparency that will keep customers safer. How commercial industries will increase their software supplier accountability in response to the rising cost of insecurity. How many companies lack knowledge about what's in the software they sell and the importance of having good telemetry practices. Why lack of good tools and the ability to connect tools is a challenge to product security today. Advice to security professionals about not letting things like SBOM and VEX get away from you as you prepare for the future of software development. How product security professionals can get involved with industry efforts to drive change.

In this episode of the Future of Application Security, Harshil speaks with Chad Girouard, AVP Application Security at LPL Financial, a provider of investment and business solutions. They discuss how security teams can better engage with developers, and how they can encourage secure coding through scanning tools and security champion programs. They also talk about how to manage the "results deluge" with single-pane-of-glass tools, how AI can help with more meaningful reporting, and why security buy-in is a team effort. Topics discussed: How to manage the various challenges of application security: competing tools, relationships, maturity, and more. How to bridge the different priorities of security teams and developers. How to encourage more secure coding by shifting left and developing a security champions program. Why leading and implementing security buy-in and processes is a team effort across the organization. How to manage today's “results deluge” with single-pane-of-glass tools and more meaningful reporting. How AI can help discern real findings from all the information that a security team collects. What's the most important security metric to measure in 2024? It's Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt

In this episode of the Future of Application Security, Harshil speaks with Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, which offers software supply chain security analysis platform. They discuss the rising need for software supply chain security as a result of the complexities around how software is built today. They also talk about ways to identify novel attacks through analyzing software behaviors, how efforts like SBOMs and registries help increase transparency, and why software supply chain security needs to evolve from just looking for vulnerabilities. Topics discussed: How Dave's diverse background in security, as well as his piqued interest around the SolarWinds and 3CX attacks, led to his focus on software supply chain security today. How a product manager leads by working with development teams, meeting with customers, incorporating new features and integrations, and helping bring new solutions to market. How the complexities associated with building software today — like open source and automation — have increased the possibility of adversaries slipping in.  Why analyzing software behavior across previous builds and seeing what's changed can help flag novel attacks. Today's trends that are increasing transparency in software creation, including the rising demand for SBOMs and the possibility of trust registries for commercial software. Why software supply chain security approaches need to move beyond just looking at vulnerabilities to find ways to root out all malicious activity. DOWNLOAD: Today, most application security tools are designed to find vulnerabilities, not fix them. What is noise and what is risk? And, more importantly, how do you accelerate the remediation of the most critical vulnerabilities? The answer lies within one key metric — Mean Time to Remediate (MTTR) Taking a better strategy to decrease your MTTR and keep your organization safe can begin today — download the paper to learn how.

In this episode of the Future of Application Security, Harshil speaks with Curtis Koenig, Head of Application Security at Gen, a multinational software company that provides cybersecurity software and services. They discuss why it's key to be able to articulate why security matters and how it impacts business goals, and what Curtis has learned about how different industries approach risk. They also talk about how security can help engineering be more efficient by speaking their language, various metrics that can assess your training and communication, and what the future of LLMs and security looks like. Topics discussed: Curtis's background in various industries and what he's learned about how culture, goals, and risk vary. How learning about a company's culture and goals first can help you translate how security matters to them. How to create a security strategy roadmap, how often to revisit those goals, and how to incorporate frameworks to sell across the business. How security can help engineering be more efficient by speaking their language and translating information into actionable tasks. What metrics to track that can help you learn more about how well your training and operations are working. How LLMs are helping with software development today, and why they can introduce more security issues if developers aren't thinking wisely about using it.

In this episode of the Future of Application Security, Harshil speaks with Arthur Loris, Senior Manager, Product Security at Ping Identity, a company that provides self-hosted identity access management (IAM) solutions. They discuss what product security constitutes at Ping Identity, the biggest challenge to great product security, and how security teams need more strategic, tactical plans to achieve their goals. They also talk about better approaches to risk remediation and why it's more effective to tell the story about how your security efforts improved the organization instead of just generating tickets. Topics discussed: How Ping Identity defines product security. The biggest challenge to product security, which involves building good partnerships with the engineering team. How security teams can be better messengers of tasks that are created by the threat landscape. A better approach to risk remediation and how to to think about it at scale. Better ways of measuring your security efforts, and why telling a story about your impact — like how much money you saved — is more effective than simply generating tickets. How security teams can flatten the learning curve when understanding the development process. What the future of product security will look like, and why it should include an increased focus on strategy.

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with James Wickett, co-founder and CEO of DryRun Security, a company that provides security products for developers. They discuss the misaligned incentives between developers and security and how teams can learn how to speak the same language to increase value. They also talk about how the SLIDE Model helps with context analysis, why you should focus less on control and more on context and composition in your security, and how organizations can close their knowledge gaps. Topics discussed: Some of the frictions between security and developers, including how incentives are often misaligned and how each team has a different focus. How to talk the same language so that security and developers can build relationships that bring value to their organizations. What the SLIDE Model is and how it can help you better understand the context of your security actions and your priorities. How organizations can fill in their knowledge gaps and why it's key to return to first principles in a world of automation and tooling. How security impacts an organization through control, composition, and context, and why organizations should lessen their dependence on control. How security is like barbeque, and why Oklahoma is a great analogy for a DevSec model.

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Colleen Dai, Senior Security Researcher at Semgrep, an open source static analysis tool. They discuss strategies security teams can take to reduce false positives, use secure defaults to eliminate bug classes, and reduce complexity in security decision-making. They also talk about ways to build the relationships between security, developers, and engineers, which includes aligning on goals, communication, and recognition. Topics discussed: Colleen's background and what her security research role at Semgrep entails. How to use secure defaults to eliminate bug classes and reduce the complexity in security decisions. How to reduce false positives by writing rules and checks, especially ones that are customized to your organization. How to better align the goals of security and developers by focusing on creating good software — and good software is secure software. How to build relationships with engineers through communication and recognition, not just talking through Jira tickets. Why security and developers still struggle with cross-site scripting and how it can be fixed.

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Johnathan Kuskos, Founder of Chaotic Good Information Security, a boutique professional services company. They discuss what it's like to be a pen tester, some of the unusual things found during testing, and how the 15 Minutes Rule helps you not waste time during your testing. They also talk about the tradeoffs of security when it comes to “good, fast, or cheap,” simple ways to determine priorities, and how to strengthen relationships between security and developers. Topics discussed: How security and developers can close divides through better communication and more forward thinking. Why security can't necessarily have an approach that's good, fast, and cheap, but how they make compromises to have a bit of all three. How to determine your security priorities, and how to perform a smoke test to see where security overlaps with other departments to identify those priorities. Some of the stranger things found during pen testing, including a git folder on a website.  Why vulnerability and exploitability are two different things, and how to assess both. How the 15 Minutes Rules can help you assess as much functionality as possible, and why it sometimes exposes more gaps in playbooks and incident response than intended.

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Jim Manico, Founder and CEO of Manicode Security, a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security. Topics discussed: What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list's issues: server side request forgery and access control. What issue is Jim surprised to see on the OWASP Top Ten. How developers and security can work more closely together to create a better approach to logging and alerting. Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization. Why training on AI and security is increasing in demand today. How security professionals and developers are like professional wrestling superstars.  

In this episode of the Future of Application Security, Harshil speaks with Madjid Nakhjiri, Head of Product Security and Lead Security Architect at TuSimple, a global autonomous driving technology company. They discuss the current landscape of automotive security today, why the industry is expanding its safety initiatives to cyber security initiatives, and the standards rising up to ensure that security. They also discuss the challenges to threat analysis and remote testing for vehicles, and what role VSOCs and AI will play in the future of automotive security. Topics discussed: An overview of the current landscape of automotive security, and how the automotive industry, which already has a long history of safety initiatives, it's now turning its attention to cyber security. The standards that are being put in place for automotive companies around the world, and how companies are trying to meet those standards. Why the automotive industry needs experienced product security practitioners in order to perform effective architecture analysis. The challenges to performing threat detection and remote pen testing on vehicles, and why threat analysis needs to be as automated and virtualized as possible. What the future of automotive security looks like, why we'll see a rise in VSOCs, and what role AI will play.

In this episode of the Future of Application Security, Harshil speaks with David Kosorok, Director of AppSec at Toast, a restaurant point of sale and management system. They discuss how to build an application security program from the ground up by prioritizing initiatives, establishing security champions, and bringing in great people — and why gathering and analyzing good data is the foundation to it all. They also discuss how to identify and fix struggles your team may have, why collaborating with product managers is key, and ways in which to positively impact security culture.   Topics discussed:   How to build an appsec program from the ground up by establishing and prioritizing initiatives, leveraging security champions and ambassadors, identifying resources, and bringing in great people. The importance of collecting and analyzing data in order to gain clarity and understanding on the current state of security and where to take action. Why working with product managers is key to building better security programs, and how to build trust and collaboration with others across the organization. How to identify struggles the team is having in implementing security standards, and how to improve processes through education and vision. How to impact security culture by increasing transparency through regular open meetings, storytelling, and inspiration. How David has mentored individuals who went on to join the security community. The importance of sharing learnings to the security community to increase overall education and awareness.

In this episode of the Future of Application Security, Harshil speaks with Tim Kelly, Director, Security Engineering at Workrise, a technology company with a platform that supports the energy workforce. They discuss the importance of collecting, storing, and analyzing data in order to enhance application security efforts, and how to go about building a data program that does that. They also discuss the ways in which you can use data to inform your security efforts, how to use data to help you inventory and prioritize vulnerability management, how to get to a 100% success rate with data-backed solutions, and what the future of data-driven application security will look like. Topics discussed: How Tim's background in experimental psychology and data analytics informs his work as the Director of Security Engineering. The definition of data engineering and how the practice can apply to application security. Why data is important for security and how a big part of collecting and analyzing data for its insights is because "you can't secure what you can't see." How to play into your strengths when building a data program by looking at your current capabilities, including leveraging a business insights team. How you can use data to determine the efficiency of your vulnerability management program, how to monitor performance, and how to find out where your efforts are producing the most value. The benefits of using data to inform your security approach, and how to get to 100% success rates with fixes by doing so. What the future of application security will look like and how teams can integrate more data analysis practices.  

In this episode of the Future of Application Security, Harshil speaks with Derek Samford, Senior Director of Product Security at Avalara, a company that builds cloud-based tax compliance solutions. They discuss Derek's approach to product security, including how his team uses data to drive visibility, how feedback loops can build maturity, and how they create application grade cards that inform remediation efforts. They also discuss how everyone is invited to contribute to product security solutions, how they create custom training for each new process, and the importance of empathy. Topics discussed: How Derek's varied background brought him from network engineering to scalability and performance testing, to field support, to building a security validation team, to today building applications at Avalara from the ground up. Why empathy is the most important skill you can have in security, and why it allows you to help others do their best work. How Derek's team practically approaches security, from running the same tools developers do, to having a strong security champions program, to encouraging open feedback. How Alavara builds collaboration by inviting anyone who wants to contribute to security solutions to be part of the working group. How Alavara uses data to help them understand what they're protecting, to gain greater visibility, and to unify their processes. How standardized processes and feedback loops create maturity over time. The importance of education, and why they create training specific for the organization that focus on "our tools, our processes, and our recommendations around security."

In this episode of the Future of Application Security, Harshil speaks with Jacob Salassi, Director, Product Security at Snowflake, a cloud computing and data management company. They discuss how Snowflake approaches product security — from what they expect engineers and developers to do, to their risk-based reporting — and why Jacob takes a scientific approach to it. They also discuss how Jacob's team creates property graphs to better understand risk flows and what to prioritize, automated threat detection, how they're writing more intelligent detections at scale, and the challenges of big data to product security. Topics discussed: How Snowflake approaches product security, including: How they build autonomy for engineers through repeatable processes How they optimize for business value and not just security outcomes, and  Why they take a quantitative risk-based reporting approach Why Jacob takes a "science, not art" approach to product security, and why he defines product security as anything related to the security posture of the service. The ways in which data- at- scale and disparate data sources prove to be a challenge for threat detection, and why security teams can benefit from pulling together those sources so they can uniformly analyze data across systems. How Jacob's team created and scaled a repeatable and structured method to risk assess every new feature that's being shipped. How this method of risk assessment and scoring helps uncover dynamics in their environment, gives developers better prioritization of their work, and enables automated threat detection. Challenges to the observability problem of who can own and access data, how many people are ingesting APIs, how much it's costing, and other access concerns. The ways in which they're communicating KPIs and risk posture through live dashboards, and how they're thinking about powering quantitative risk analysis and forecasting through those dashboards.  

In this episode of the Future of Application Security, Harshil speaks with Helen Oakley, Lead Architect for Software Supply Chain Security at SAP, which develops enterprise software for business operations. They discuss the need for software supply chain security, especially considering how much of software is open source today, and what the current state of adoption is across industries. They also discuss how you can optimize SBOMs and the misconceptions around them, where organizations can start implementing software supply chain security, and why it's needed to protect both infrastructure and human life. Topics discussed: What software supply chain security is, and the different considerations — like open source components — that make it a priority for organizations today. The current state of adoption for software supply chain security, the challenges to adoption, and which industries are on the forefront while others lag behind. How software supply chain security and SBOMs will evolve, especially considering the need for safety around digitally-connected devices that can impact human well-being. Some of the misconceptions around what SBOMs offer, and what more has to be done in addition to SBOM implementation to make supply chains more secure. Advice for organizations looking to get started on or ramp up their software supply chain security approach, which includes improving SBOM quality and automation. How to be prepared to receive and consume SBOMs from vendors, and what tools to use to analyze that data. What types of benefits and risks AI will pose for software supply chain security in the future, especially around transparency.

In this episode of the Future of Application Security, Harshil speaks with Steve Springett. They discuss the broad definition of what software supply chain security is, the implementation of SBOMs after the White House's Executive Order, and how organizations can effectively adopt, operationalize, and use SBOMs. They also discuss the biggest drivers for better software supply chain security, why you need to manage more than just vulnerabilities, and how organizations can start chipping away at their software security chain problems. Topics discussed: Steve's broadly encompassing definition of software supply chain security. How organizations scrambled to adopt and operationalize SBOMs after the White House's Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response.  Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets. Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions. What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it. How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn't negatively impacted by that list. How machine learning may play a role in better understanding risk across the software supply chain. Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.

In this episode of the Future of Application Security, Harshil speaks with Prajakta Badhe, Manager of Product Security at Origami Risk, which provides risk software to the insurance industry. They discuss how product security is different from application security, the ways in which Prajakta evaluates a product's risk, and why she always gives context as to why a vulnerability needs remediation. They also discuss the security culture at Origami Risk, three steps for building a robust security program, and where AI will fit into product security's future. Topics discussed: The evolution of Prajakta's career, starting as a quality assurance engineer, then leading a team of pen testers at Norton, to now leading product security at Origami Risk. The difference between product and application, and how they are "two different pillars" of security. What skills, background, and knowledge Prajakta looks for when hiring for product security. The two things Prajakta looks at when evaluating a product's risk, and the ways in which to prioritize that risk. Why Prajakta creates a list of the organization's unique top ten risks and how she uses that list for training purposes.  How to create more meaningful training for developers.  Three steps for building a security program, including establishing a baseline, creating ways to scale, and modernizing as you go. The reasons why Origami Risk has a strong security culture, and why that's a benefit to all. What the future of product security holds, including the benefits and challenges of integrating AI-powered tools.

In this episode of the Future of Application Security, Harshil speaks with Anthony Ungerman, VP Product Security at Avalara, a tax software company. They discuss what product security encompasses beyond application security, how the security team at Avalara works with engineers, and how they articulate business value to increase security implementation. They also discuss security automation, approaches for security training, and what's in store for the future of product security. Topics discussed: The evolution of Anthony's career as a "lifelong computer junkie," including how he was introduced to security, and how he learned security by practicing on his kids' web traffic.  How Anthony defines product security, why it's broader than application security, and what it encompasses. How Avalara's security team works with the engineering team, and how they leverage security champions to implement security initiatives. How security-mindedness is expanding, from the boardroom to customers, prompted by data privacy regulation like EU GDPR and the edicts from the White House. How to get more security buy-in by being able to explain how initiatives tie back to business objectives. A summary of articles Anthony wrote about how to automate application security programs. What types of training they're offering to ramp engineers up on security best practices — and what consequences are in place if they don't complete training. How the future of product security will be shaped by privacy regulations, generative learning, and all-encompassing dashboards.

Tanya Janca, Founder of We Hack Purple, and Eric Sheridan, Chief Innovation Officer at Tromzo, join us for a special episode of the Future of Application Security Podcast. This episode was originally recorded as a LinkedIn Live on June 25, 2023.  Tanya and Eric discuss how understanding the context in which applications operate is crucial for effective AppSec prioritization. You don't want to miss this insightful session to uncover how to choose AppSec priorities based on software supply chain security, code-to-cloud business context, and metrics. Let's empower organizations to strengthen their Application, Product, and Cloud Security practices and stay ahead of emerging threats. Topics discussed:  The significance of software supply chain security and the importance of preventive controls that integrate security policies throughout the SDLC.  How code to cloud business context emphasizes the need to consider various business models, ownership structures, and how they influence security requirements.  Where leveraging metrics effectively can enhance an organization's AppSec posture and mitigate risks.  

In this episode of the Future of Application Security, Harshil speaks with Joe Basirico, Senior Director of Product Security at Highspot, a sales enablement platform. They discuss how product security's evolution has increased its focus on relationships and trust-building, why security is like fixing a leaky faucet, and how to prioritize for more efficiency and impact. They also discuss where product security is going and how AI will help it get there, the elements for security at scale, and how to better collaborate with developers.   Topics discussed: Why Joe "fell in love with security" and how his career evolved from developer to pen test to trainer, back to developer, and now to leader of a product security team. How product security has shifted to building trust and relationships among teams and customers — and why you should hire for hard and soft skills like empathy. Why security is like a leaky faucet, and why you should turn off the tap — or, fix the influx of vulnerabilities — before you spend time cleaning up the mess. How to prioritize what to focus on first, and why execution trumps prioritization when it comes to getting stuff done. What Joe does to make developers more successful through collaboration and solving problems together. The three elements Joe considers key for security at scale: awareness, enablement, and detection. The ways in which Joe and the security team distribute knowledge across the organization, including "hijacking October" for talks during Cybersecurity Awareness Month. What the future of product security will look like, and how AI tools will play a role in shaping it.  

In this episode of the Future of Application Security, Harshil speaks with Mike de Libero, Director of Product Security at iHerb, an online health and wellness shop. They discuss the ways in which automation helps lighten the workload and creates more consistency, when you need to hire someone for security automation, and what to look for when scaling visibility. They also discuss how the role of product security has evolved, the benefits and drawbacks of today's tools, and how to build more effective remediation. Topics discussed: How to implement automation to lighten the load of product security engineers and to create a more consistent experience for everyone. What to look for and what questions to ask in order to scale your visibility. How to know if it's the right time to hire someone for security automation — and why you should borrow someone from the dev team first. How product security has changed over the years, including its shift from testing and finding issues to building libraries, controls, and frameworks to help dev teams push code out quicker. How to group classes of security issues in order to streamline remediation, and how Mike's team went from 1900 tickets to 30 with this practice. How Mike's background as a programmer gives him more understanding and empathy in his role as Director of Product Security at iHerb, LLC. What Mike learned about product security at different companies in the past, including Salesforce, Microsoft, Uber, and Unity.  

In this episode of the Future of Application Security, Harshil speaks with Warren Kopp, Application Security Consultant at Coalfire, a cybersecurity advisor. Together they discuss how better application security involves building relationships with the people behind the processes, and why skills like communication, collaboration, and an understanding of psychology are keys to moving forward security initiatives. They also discuss the increasing availability of security training today, how to think more aggressively about security, and why the future of AppSec will focus on expansion. Topics discussed: How Warren "backed into technology" after getting a degree in animation, and his experiences inside an enterprise software company before becoming a consultant with Coalfire. Why security isn't just a technology problem and how you need to find the people behind the processes, get to know their struggles, and compromise in order to build great AppSec initiatives. Why one of the key skills any security person can have is communication, and why clearly articulating business impact can help with getting buy-in. The need for not just training in hard security skills, but in soft skills like communication and psychology in order to meet people where they are and better understand their needs. How to look for opportunities for collaboration in your organization, and why it's key to talk to others (over the phone or over lunch) and build your network. How teams can leverage automation, and why you need to think more aggressively about AppSec in order to open up new opportunities. The current state of AppSec, and the growing availability of training and information-sharing through more informal channels like YouTube that can increase impact and reduce struggle.  Why the future of application security involves teams being more aggressive, more iterative, and growing quicker.

In this episode of the Future of Application Security, Harshil speaks with Ariel Shin, Senior Product Security Engineer at Twilio, a company that provides businesses the tools to connect with customers through automated messaging. Ariel shares the story of how she implemented a democratized, centralized vulnerability management program at Twilio, which included conducting interviews to gauge the current state of vulnerability management, designing a new process that got everyone on the same page, getting buy-in by going on a roadshow across the company, and how they're currently managing the program after rollout. Topics discussed: Ariel's journey through Twilo's acquisition of Segment, going from a culture of a few hundred developers to a few thousand building many different projects. How Ariel designed and implemented a democratized, centralized vulnerability management process by getting buy-in from security, engineering, and leadership, and socializing the process. The importance of a centralized vulnerability management process to reduce confusion and easily see all vulnerabilities in one place, and how to make risk everyone's responsibility. How, in order to uncover problems to address, Ariel interviewed security team members, developers, engineers, and other stakeholders, and created a flowchart of the current state of vulnerability management. The necessity of approaching security holistically, and not thinking about security just in terms of the industries or silos created in an organization. Identifying the pain points of an organization's security approach, and how to use those pain points to articulate the change needed for an organization. How Ariel rolled out the new vulnerability management program through a roadshow across the organization, articulating what the changes were and how they improved security to increase buy-in. How Ariel and the security team created three dashboards so stakeholders could better understand their security posture: one for ticket triage, one for engineers to understand the tickets, and the third for leadership.

In the ever-evolving landscape of application security, organizations face the challenge of effectively scaling and growing their AppSec programs. On this episode of the Future of Application Security podcast, Harshil Parikh interviews Ty Sbano, the CISO of Vercel, who brings years of experience and expertise in the field of cybersecurity. During their conversation, Ty and Harshil shared their valuable experiences and learnings from scaling AppSec programs in small and large organizations. They also address topics such as gaining visibility into software artifacts, asset ownership and responsibility, and identifying critical tools for the business.    Topics discussed: The importance of having a comprehensive understanding of software artifacts to ensure their security How collaboration between development teams, security teams, and asset owners can help foster a proactive approach to addressing vulnerabilities and mitigating risks. The shift from first-party code to third-party code Who owns the code and how are they taking accountability for what is shipped How organizations can conduct regular assessments and evaluations to identify which tools are truly important to the business and prioritize their investments accordingly To learn more about scaling and growing AppSec programs, we highly recommend listening to the full episode.

In this episode of the Future of Application Security, Harshil speaks with Sri Pulla, Director, Application Security at Cloudflare, a company that wants to "build a better internet" through its cloud platform of network services. They discuss how Cloudflare protects its products, uses risk scoring for prioritization and decision making, and why the engineering team must answer a security questionnaire before each deployment. They also discuss how to better collaborate across teams — engineering, privacy, compliance, and legal — and how Cloudflare is moving to a centralized team model to better scale their security.   Topics discussed:   The evolution of Sri's career, including her background as a software engineer, how she's been at "the right place at the right time" to help big companies rebuild apps after data breaches, and how she joined Cloudflare as the Director of Application Security. Why Cloudflare is moving from a decentralized model where security engineers were embedded in product teams to a centralized model so security can scale better. How AppSec fits into the SDLC, and how before each product is shipped, the review process includes a security questionnaire about the changes being deployed. How Cloudflare defines a product, how they use risk scores to determine which products to prioritize, and how they're integrating more data privacy. Why the future of AppSec will be found in collaboration, and how the security team and engineering team can support one another. How security teams need to be prepared for a future where the cloud is here to stay, and how to sustain a model where products are secure even after deployment.  What skills Sri looks for when hiring, which includes some kind of programming or products background that can help build empathy with software engineers.  

In this episode of the Future of Application Security, Harshil speaks with Jason Espone, Global Head — Application Security Engineering | Cybersecurity at C.H. Robinson, the world's most powerful logistics platform allowing customers to ship goods around the world. They discuss the challenges of addressing tech debt at a 117-year-old company, strategies to manage a vast application portfolio, and the importance of being able to articulate risk to leadership. They also discuss how application security plays a part in business resiliency, and how to think about data-driven application security. Topics discussed: Jason's career evolution, from starting as a Java developer, to moving to software configuration management at Motorola Labs, to building and scaling DevSecOps platforms, to becoming the Global Head of Application Security Engineering and Cybersecurity at C.H. Robinson. The challenges of application security at a 117-year-old company, including how to solve the tech debt that's accumulated over the organization's history. The importance of not only understanding the risk to your business, but being able to articulate that risk to leadership for better prioritization. Understanding the landscape of applications by building a portfolio of applications, ranking by risk and other factors, and using a tool like Backstage to manage and prioritize it all. How C.H. Robinson uses metrics to evaluate each product line and its security posture to create an overall risk score of the organization and improve business resiliency. Why it's important to have data drive your application security strategy. What the future of application security looks like, including how security will integrate AI, the rising importance of threat modeling, and why IAM is the future of security.

In this special edition of the Future of Application Security podcast, Harshil speaks with Matt Johansen, Principal Security Architect at Reddit, a community and content-sharing site, and Clint Gibler, Head of Security Research at Semgrep, an open source static analysis tool. Together they discuss how the world of AppSec has changed, including the more widespread adoption of a shift-left mentality, and how more best-in-breed tools are being created for developers today. They also discuss the ways in which you can adopt frameworks and tooling into current workflows, how to meet developers where they are, and how to incentivize practicing good security habits. Topics discussed: How the world of AppSec has changed, going from a niche part of a security program to something everyone started focusing on, and how the industry has adopted a shift-left mindset while making more tools available for developers. How the evolution of frameworks are helping to prevent vulnerabilities and reduce risk, sometimes more so than security tools. How best-in-breed tooling is moving from generating tickets to be thrown over the fence, to speaking to developers in the language they know. The current state of in-house security expertise, and why security teams still need to lead with prioritization and the value-add of security, yet are beginning to hire team members who can write code. How to move security frameworks into the systems developers use everyday — and how do you incentivize developers to adopt those frameworks in the first place. The ways in which gamification and public dashboards have helped increase security adoption and reward good behavior. Why it's better to focus on and invest in solving the top vulnerabilities and issues than be sidetracked by the "long tail" of thousands of vulnerabilities that will never get touched.

In this episode of the Future of Application Security, Harshil speaks with Emre Saglam, Head of Security and Compliance at Dremio, a data lakehouse that empowers data engineers and analysts with easy-to-use self-service SQL analytics. They discuss the current state of AppSec, including how to improve security by prioritizing business implications, using frameworks, and having tools "closer to the ground." They also talk about how to structure security teams, how much time you should spend with product teams, what skills are needed for future success, and more. Topics discussed: Emre's career evolution in security, from breaking into mailboxes as a kid growing up in Turkey, to starting a Linux group in the 1990s, to working at places like World Bank and Salesforce before becoming the Head of Security and Compliance at Dremio.  The current challenges of Product Security, including the need for bigger companies to create ways to glue together their disconnections, and why security teams need to prioritize overall business implications and impact. How security is improving through the use of frameworks and tools that are "closer to the ground," making security easier to scale. Why security teams should adopt strategies like injecting security across each phase of product development, and why security teams should spend more time with the product team. How to structure security teams in terms of which skills to hire, how much time to dedicate to the product side, how to keep up morale and motivation, and how to align teams to create secure products for customers. How security teams can bring attention to areas where they may need more resources, planning, or prioritization, and why alignment with leadership is key. Why curiosity, questioning intention, being firm, having a Plan B, and good communication are skills that security team members must acquire in order to be successful. Why the future of product security will be better correlation, deduplication, and few false positives, and how AI will contribute to being able to write better code.

In this episode of the Future of Application Security, Harshil speaks with Mohit Kalra, Vice President of Product Security at Sprinklr, a platform that enables the world's largest enterprises to market, advertise, research, care, and engage consumers. Together, they take a look at the overall management of product security in a SaaS organization that needs to keep a large amount of customer data safe. Mohit's advice includes how to prioritize your product security program, become more aware of your environment, make listening and learning a security process, and other useful tips, tricks, and strategies that any security leader can take and apply to their team today.  Topics discussed: How a Product Security leader should think about security maturity,  for more reliable and repeatable actions. Why it's key to better understand your products and applications before you implement preventative controls. How to become more aware of what you have in your environment, where to start if you don't know what to secure, and how to create processes for remediation of issues that you find. How to establish listening as a process, and why it's key in getting to better know your products, teams, and business trajectory. Why ProdSec is an incremental process and has a problem of prioritization How to calculate your organization's risk, and why security starts with assessing the needs of the company. Why the best approach to remediation is to strategically ticket your security backlog, and how to do so in order to make the most progress.

In this episode of the Future of Application Security, Harshil speaks with Derek Fisher, the Head of Product Security at Envestnet, a publicly traded financial technology company that connects people's daily financial decisions with their long-term financial goals. Derek is a highly accomplished professional with an exceptional track record in engineering and information security. With his experience as an award-winning author, speaker, leader, and university instructor, Derek provides valuable insights into the world of application security and risk management. Key topics discussed: The step-by-step approach to build a mature application security program. Utilizing tools like dynamic scanners and software composition for vulnerability management. Collaboration with product and engineering teams to stay informed about upcoming changes. Importance of early involvement in the development lifecycle to enhance security. The role of enterprise architecture teams in the application security process. Challenges in tracking and responding to development team activities in agile environments. Resources mentioned: Derek's book, "The Application Security Program Handbook" Derek's children's book, "Alicia Connected"

In this podcast episode of the Future of Application Security, Harshil speaks to Cassie Crossley, VP of Supply Chain Security at Schneider Electric, a global specialist in energy management and automation, Cassie is responsible for overseeing the cybersecurity strategy and ensuring the security of the company's products and services. With a wealth of experience from her leadership roles at well-known companies like Ceridian, Hewlett-Packard, McAfee, Lotus, and IBM, Cassie brings a unique perspective and valuable insights to the discussion on software supply chain security. Key Topics Discussed: Addressing sophisticated threats in software supply chains. Integrating supply chain security into CISO priorities. Focusing on third-party suppliers and open source risks. Utilizing tools and frameworks like SSDF for supply chain security. Understanding and evaluating supply chain risks for CISOs. Developing IoT cybersecurity standards.

In this special episode of the Future of Application Security, Harshil interviews Eric Sheridan, Tromzo's recently appointed Chief Innovation Officer. Eric shares his 20-year journey in security, from his teenage encounter with Punters (little apps that would flood the target with AIM messages and knock them offline) to developing innovative security technologies at companies including WhiteHat Security (now part of Synopsys). They discuss Eric's experience in building security testing tools, co-founding a company specializing in scanning source code for vulnerabilities, and working on various application security projects throughout his career. The conversation delves into the current challenges and future trends of software and cloud security, emphasizing the need for a holistic approach, the importance of democratizing security, and how to integrate security into the workflows of developers and decision-makers. Key topics discussed throughout the conversation: Understanding an organization's assets and the importance of a single pane of glass for visibility. The role of product security teams in providing guidance and operational support to engineering teams. The impact of developer-oriented products on security and the future role of application security engineers. Benefits of automated policy enforcement and integrating security into CI/CD pipelines. Importance of actionable insights for risk owners to effectively remediate vulnerabilities. The evolving role of application security teams in the context of democratizing security. The importance of integrating security products within non-traditional security tooling platforms, such as GitHub, GitLab, Jfrog, and Datadog.

In this episode, Harshil is joined by Martin Nystrom, Vice President Of Product Security at Lumen.  Lumen is the world's largest provider of communications, network services, and cloud security solutions. The Lumen platform enables companies to capitalize on emerging technologies and next-gen business applications, offering simplified security solutions that allow their customers to shift their focus from IT to innovation.   Topics Discussed: The future of application security and the implications of security management in a multi-cloud environment Martin's advice for product security professionals starting out in the application security space How OKRs can help differentiate the roles of the CISO (chief information security officer) and CPSO ( chief product security officer) The similarities and differences between Lumen's security structure and other traditional organizations The importance of  incorporating product management capabilities into security 

KnowBe4 is the world's largest integrated Security Awareness Training and Simulated Phishing platform. KnowBe4's training program is designed to help organizations address their most pressing IT security issues. With proper security awareness training, teams are able to make better security decisions, and help build a strong security culture within their organization.   In this episode, Harshil chats with Bradley Petzer, Senior Director of Product Security at KnowBe4. Bradley shares the importance of finding the right balance between compliance and security, and why priority should be given to having true risk management solutions in place.    Topics Discussed: How application and product security relate to each other, and the importance of skills specialization in either area Key challenges product security teams are facing today How to maintain a balance between security and compliance Building a collaborative relationship between different teams, and leveraging automation to improve team efficiency How KnowBe4 effectively manages open source vulnerabilities Bradley's advice for anyone just starting out their career in cyber security The advantage of getting cybersecurity certifications 

In this episode, Harshil chats with Emmy Eide, Director of Product Security at Red Hat, a leading provider of open source software solutions that enable enterprises to seamlessly work across various platforms and environments. Emmy shares how she came to lead the team handling software supply chain security at Red Hat, and gives us a look into what makes for a good software supply chain security program - by utilizing tools, risk management best practices, and implementing security controls to protect the supply chain from threats and vulnerabilities. Topics discussed: Why software supply chain security is important The need to establish partnerships between security and engineering teams to effectively implement security controls within the supply chain How Red Hat cultivates an open feedback culture between teams to achieve systemic security How the SLSA framework helps developers secure the supply chain Determining the scope of the software supply chain and what to include in the SBOM (software bill of materials) Leveraging how the SSDF (Secure Software Development Framework) drives secure software development and mitigates risks  to the supply chain

In this episode, Harshil is joined by Naomi Buckwalter, Director of Product Security at Contrast Security. Contrast Security is an application security platform that helps developers and security teams write secure code and protects business applications against targeted cybersecurity attacks. The Contrast platform is able to effectively identify actual vulnerabilities from false positives, resulting in faster remediation. With more than two decades of experience in IT and Security, Naomi shares some tips on how to run a product security program, how to build a diverse team, and how to refine the hiring process to empower managers to choose the right candidates. Topics discussed: How Naomi came to lead the product security team at Contrast Security The story behind Cybersecurity Gatebreakers, Naomi's nonprofit foundation advocating for and supporting the next generation of cybersecurity professionals The supposed talent shortage in cybersecurity,  and the challenges in finding and hiring the right talent How to choose the right questions during an interview and what to prioritize during the hiring process Naomi's LinkedIn course that's providing valuable educational content on how to be better security leaders Naomi's book recommendation for cybersecurity leaders How to come up with a reprioritizing plan to counter the effects of a workforce reduction

Technology has been growing by leaps and bounds but most supply chain processes for shipping, storing, and trading goods have remained fragmented. Flexport is the first to connect the entire ecosystem of global trade, empowering buyers, sellers and logistics providers to grow and innovate. Flexport's platform sets a new standard for global trade by simplifying supply chain management. In this episode, we are joined by Kevin Paige, CISO at Flexport. Kevin utilizes his two decade long work experience in IT and security to help the company streamline and optimize business processes, mitigate risks, and accelerate growth by aligning IT initiatives with broader company goals.  Topics discussed: Kevin's work background and how he shifted from being in the military handling physical security, working as a security consultant for the government,  to his current role at Flexport His thoughts on the complexities of the CISO role and the trend of assigning CIO responsibilities to CISOs How to strategize, plan, and make data driven decisions in the world of security How application security has evolved and what the future will look like The skills  that every good product security person should have The process Kevin's security team follows in doing quarterly business reviews

Unqork is a no-code application platform that helps large enterprises rapidly build complex custom software by completely removing the usual development challenges of a traditional code-based approach. In this episode, Harshil chats with Unqork's Chief Information Security Officer, Daniel Wood, to learn more about how he's helped build and scale the company's product security program. Daniel has more than a decade of experience in cybersecurity having worked as an information security analyst, and lead security engineer in previous roles. Topics discussed: Daniel's career journey and his transition from risk-based security work, to technical security engineering, consultancy, and corporate security work Changes Daniel implemented after joining Unqork, and how he chose what security aspects to prioritize and invest in Leveraging the OpenSAMM or BSIMM model to guide security investment decisions Unqork's goal of building product security features to reduce friction between the engineering and security teams How to drive the adoption of security initiatives across an organization How Unqork handles code ownership, architecture review processes, and threat modeling Unqork's maturity roadmap for the future

Those in IT, DevOps, and SecOps are all too familiar with the demands of a complex and dynamic technological landscape. For more than two decades, SolarWinds has helped technology professionals and organizations manage and adapt to an ever-expanding ecosystem of IT applications and infrastructure.  In this episode, Tim Brown, Vice President of Security at SolarWinds, gives us an insider view of the 2020 cyberattack where hackers slipped malicious code into the company's popular network management system and software program, Orion.  He shares how his team worked tirelessly to resolve the breach, and how this incident  has brought light to the software supply chain security issue and has helped strengthen the whole security industry.  Topics discussed: Tim's perspective on the dependence of security maturity on engineering process or development process maturity  How the SolarWinds team handled the 2020 breach The importance of creating SBOMs for every application and learning to utilize the data to protect against security vulnerabilities Tim's advice for security leaders working with a supply chain What supply chain security will look like in the next few years Links: SolarWinds hack explained: Everything you need to know SolarWinds breach: Lessons Learned & Practical steps

Chime, one of the fastest growing players in the financial technology space, has a mission of providing financial stability for their customers by eliminating many of the issues that come with traditional banking. In today's episode, Mukund Sarma, Director of Product Security at Chime, shares how he helps his team address the challenges in building security programs, and maintaining a solid and proactive security culture within the company. Topics discussed: How Mukund got started in cybersecurity. His experience in building application security programs for FinTech companies.  Different approaches in risk mitigation in FinTech, product security, and application security. What product security is and how its definition differs from company to company. What skill set Mukund looks for when hiring engineering and security teams. How Chime's internal Rails application, Monocle helps their team with strategic engineering and security decision making. Why Mukund opted for a gamified approach for their security processes. Why Mukund's team decided to integrate GitHub badges within Monocle.

Pegasystems' Pega Platform is a powerful low-code platform for AI-powered decisioning and workflow automation. The platform makes it easier for enterprises to work smarter, unify experiences, and quickly adapt. As a publicly traded company with a multi-billion dollar market cap,  more than 6,000 employees, and a global customer base, security is critical to the success of the company.  In this episode of the Future of Application Security podcast, Harshil speaks to Pegasystems' Director of Application Security, Tejpal Garhwal to learn about how Pega approaches AppSec. With a strong software development background and deep expertise in Application Security, Tejpal has spent his career managing multiple security and dev teams and setting the direction for information security application architecture, policy and processes within the organization. Topics discussed: Tejpal's career transition from Software Development to Application Security Tejpal's 30-60-90 day strategy in strengthening and standardizing security processes and building a secure SDLC The benefits of shifting left and developing a good security culture mindset  Management and optimization of an application security operation on a large scale How Tejpal encourages collaboration between the security and development teams Using quality security gates/guardrails/etc. to ensure code integrity Tejpal's thoughts on the future of application security

FullStory's mission is to equip organizations with the information they need to deliver perfect digital experiences. To deliver on that mission, their platform captures customer experience data based on understanding browser interactions. In order to capture that data, it must have a position on the end user's browser which requires a high level of customer trust.  To ensure its service is delivered securely and that trust is maintained, the company has devoted significant resources to developing a robust Product Security Program.  On today's episode of the Future of Application Security, Harshil speaks with FullStory's VP of Product Security and Compliance, Mark Stanislav to learn more about how the company has approached building and scaling its Product Security Program.  Topics Discussed:  How Mark defines Product Security. Why FullStory runs maturity models every quarter.  How to use maturity models to demonstrate your Product Security Programs progress and justify further investment.  Why shifting-left is critical for all teams looking to scale their Product Security Program.   How FullStory built a culture of engineers who love security.   What most get wrong about vulnerability and risk management. Why Product Security teams need to own the triaging and prioritization.

The pace of software development has increased dramatically over the past ten years and the traditional approach to application security has struggled to keep up. With modern development going from code to cloud within hours, manual security checks and  code reviews run the risk of slowing down releases and creating more tension between developers and security teams.  To reduce this friction, organizations are shifting from the traditional application security approach to a more modern approach where security policies and controls are embedded in developer workflows.  To learn more about this shift, in today's episode of the Future of Application Security, Harshil speaks to Daniel Harvey, an industry veteran with more than 13 years in AppSec. Most recently, Daniel was the Director of Product Security at InVision. Prior to InVision, Daniel worked on AppSec teams at organizations including Clayton Homes, Citi, Elavon, and Discovery.  Topics Discussed:  Daniel's shift from application security to product security  The importance of building default security features within a product  How to make product security a business enabler  The key changes in the application security landscape How to build the relationship between security and development and how to find balance in collaboration The need to map and tie code ownership to identity management systems  

Stripe is the most valuable private startup in the United States with a market valuation of more than $95 billion. With more than 2 million customers spread across 46 countries and nearly 10,000 employees, the scale of Stripe is hard to fathom. To retain its position as the market leader, Stripe must continue to rapidly ship new products while at the same time ensuring those products are secure.    To learn more about how Stripe has scaled their AppSec Program to keep up with the pace of development, in today's episode, Harshil speaks with Stripe's Application Security Manager, Rajat Bhargav. Prior to joining Stripe in 2021, Rajat worked as a software engineer at Citi and Monsanto before transitioning to security where he has worked on AppSec teams at companies like eBay, Walmart, Netflix, and Twitter.  Topics Discussed:    How to get developers engaged and interested in security (based on Rajat's experience as a developer).  How Stripe uses context to help developers prioritize the vulnerabilities that actually matter.  How secure-by-default/security guardrails makes it easier for developers to not have to think too much about security.  Three pieces of advice for up-and-coming AppSec professionals and leaders.  Resources mentioned:  Scaling Appsec at Netflix  Locomocosec.com

Thirty Madison is a healthcare technology company that offers direct-to-consumer healthcare and wellness products for people living with chronic conditions. Founded in 2017, the company has raised over $200 million in funding and has more than 400 employees.  As a healthcare company with millions of customers, Thirty Madison has the responsibility of holding their customers' most personal information. Keeping this highly sensitive data secure is mission critical to their business. A single breach could jeopardize their reputation and ruin their relationship with their customers.  To ensure their customers and employees are secure, Thirty Madison brought on Anshuman Bhartiya to put in place a Product Security program that is capable of keeping up with the rapid growth of the company. In today's episode, Anshuman joins Harshil to talk about the lessons learned as he built their Program Security program from scratch and the tactical advice he has for others who find themselves in a similar position.  Topics: How to decide what problems and risks to prioritize when you are first building a product security program. Questions to ask executives and co-workers as you begin building your product security program.  How Security Guardrails can influence developers to build secure code from the beginning and how to actually make that happen.  Anshuman's favorite Security Guardrail he's implemented.  A lightweight approach to building and securing your SDLC.  #1 piece of advice for someone who is just beginning their product security journey. 

The resounding sentiment from organizations is that there's major tension between development and security teams. This tension makes it nearly impossible for any AppSec program to scale, making reducing this friction mission critical.  To learn how to improve the relationship between developers and security, on today's episode of the Future of AppSec Harshil speaks with Dustin Lehr, Director of Application Security at Fivetran, a Forbes Cloud 100 company that helps companies improve the accuracy of data-driven decisions by continuously synchronizing data from source applications to any destination, allowing analysts to work with the freshest possible data.  Dustin is an accomplished software engineer turned information security leader. Having spent more than a decade as a software engineer, his diverse background and experience has helped him forge close partnerships with development teams, engineering teams, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work.  His approach focuses on communicating the importance of security, instilling a sense of urgency, and motivating the organization to shift their mindset toward “Security by Design” best practices, quality focus, and technical responsibility. Topics: How Dustin's background in software engineering influenced how he approached building Fivetrans AppSec program.   Why empathy is critical to improving the relationship between developers and security teams.  The importance of having an engaged and gamified Security Champions program. Key challenges AppSec teams will face in the coming years and how they can prepare for the future.  Why Dustin created the “Let's Talk Software Security” community.  Resources:  Dustin's “Let's Talk Software Security” Slack community: https://join.slack.com/t/letstalksoftw-64x2506/shared_invite/zt-t3e59aj9-5zNThhcrj4TCd4HJwAoDZA Dustin's current book recommendation: Actionable Gamification: Beyond Points, Badges, and Leaderboards Harshil's conference talk: Democratizing Security: A Story of Security Decentralization