Future of Application Security Tromzo

In this episode of the Future of Application Security podcast, Harshil speaks with Abdullah Munawar, Director of Product Security at Appian. Abdullah shares valuable insights into his journey from security assessments and consulting to leading product security efforts, discussing the evolving challenges and strategies for building effective security programs in modern development environments. 

He discussed the importance of evolving security practices beyond identification to implementation within organizations, including the need for a holistic approach to product security and focusing on high-priority vulnerabilities. Abdullah also explains the challenges of maintaining data quality in AI companies. 

Topics discussed:

- The transition from consulting to in-house product security and the importance of hands-on experience in understanding the challenges of implementing security fixes and mechanisms.
- Defining the scope of product security in the context of decentralized development practices and the shift towards ”you build it, you manage it” approaches.
- The changing role and structure of product security teams to address the full stack of security concerns, from architecture and automation to traditional AppSec tasks.
- Strategies for driving remediation and adoption of security practices, including leadership buy-in, targeted automation, and empathy-building initiatives like security champion programs.
- Emerging challenges in product security related to AI and data management, such as data poisoning, segregation, and unintended leakage.

In our latest episode of the Future of Application Security podcast, Nat Mokry, VP of Application & Product Security at Xbox (formerly of Activision Blizzard at the time of recording), shares valuable insights into the world of application security, from the mission of defending player trust to emphasizing the importance of technical skills in cybersecurity. 

Nat provides guidance on building effective security teams and navigating the evolving challenges in the industry.

Topics discussed:

- Earning and defending player trust as a guiding principle of business and strategies for making mission statements actionable.
- Building and structuring a diverse security team, and the challenges faced by appsec teams in the current landscape.
- The concept of the ”piggy bank of trust” in security relationships that Nat says helps him and his team remember that people skills are important too.
- Balancing technical expertise and security knowledge, depending on what your data is telling you. 
- Having the humility to ask questions and not have all the answers.
- The difference between solving problems for people and minimizing the chances of them doing something wrong.

In this episode of the Future of Application Security podcast, Harshil interviews Felix Matenaar, Head of Product Security at Asana. Felix shares insights into his journey from Germany to Silicon Valley, where he transitioned from mobile security to leading Asana’s product security efforts.

The conversation highlights Felix’s experience in creating security frameworks that eliminate vulnerabilities by building secure product lifecycles and ensuring alignment with business objectives. His approach integrates rigorous security measures directly into the development process, reflecting Asana’s commitment to robust, proactive security.

Topics Discussed:

- Felix discusses his transition from software engineering to product security and his strategic move from Google to Asana.
- Strategies for integrating security seamlessly into product development to enhance safety without compromising functionality.
- How effective security practices can accelerate business processes and foster trust with users.
- The importance of collaboration across different organizational functions to ensure comprehensive security coverage.
- The role of leadership in fostering a security-centric culture within tech companies.
- Insights into upcoming challenges and innovations in the field of application security.

In this episode of the Future of Application Security, Harshil speaks with Steve Lukose, Vice President of Security at Clari, about how security is becoming a business enabler rather than just an organization. 

Steve explains why SLAs will become one of the benchmarks for security experts to use, but that it won’t necessarily be for all aspects of security. Still, they’ll be a great tool to help security organizations plan ahead for their next steps. 

They also discuss the importance of cross functional collaboration, why your team should build relationships outside of the group, and how regulatory bodies are driving change. 

Topics discussed:

- The importance of building relationships within your team and outside of it.
- Why SLAs will become a benchmark for security leaders to use for planning their next business steps.
- How security leaders can work with their teams, partners such as engineers, and stakeholders to make sure they stay on track and keep focus.
- How product managers can help facilitate projects by understanding what each stakeholder needs.
- How security transcends barriers by becoming a business enabler, shifting from a restrictive function to one that supports and enhances organizational objectives and growth.
- The importance of cross functional collaboration.
- How scrutiny from regulatory bodies such as the SEC is driving change.

In this episode of the Future of Application Security, Harshil speaks with Aruneesh Salhotra, CEO and Fractional CISO, SNM Consulting Inc. They discuss the unique challenges and opportunities of application security in the financial sector, including how the ”necessary evil” of regulations is increasing accountability around security efforts. They also talk about the need for more vigilant software supply chain security, two better approaches to vulnerability management, and how AI can create self-sufficiency among developers.

Topics discussed:

- The ”necessary evil” of regulations and how they’re increasing accountability around data storage, pen testing, and more.
- Two approaches security teams can take to better manage application vulnerabilities: a call graph and runtime SCA.
- What your attack surface is and how to effectively manage it.
- The increasing importance of software supply chain security and the value of establishing an open source program office.
- Why security should be everyone’s job and how adopting security today will bear fruit tomorrow.
- How AI can increase developer self-sufficiency by giving feedback and insights on security actions.

In this episode of the Future of Application Security, Harshil speaks with Christine Gadsby, VP, Product Security at BlackBerry, a software company specializing in cybersecurity. They discuss the new initiatives driving software transparency, like SBOMs and VEX, and how adoption will not only come from regulations but from companies holding their software suppliers more accountable. They also talk about the need for better telemetry practices and more connected tooling and how security professionals can get involved in industry change and mentorship.

Topics discussed:

- The important role frameworks like NIST 800-218 and CISA’s Secure By Design will play in establishing standards.
- The ways in which SBOMs and VEX are driving software transparency that will keep customers safer.
- How commercial industries will increase their software supplier accountability in response to the rising cost of insecurity.
- How many companies lack knowledge about what’s in the software they sell and the importance of having good telemetry practices.
- Why lack of good tools and the ability to connect tools is a challenge to product security today.
- Advice to security professionals about not letting things like SBOM and VEX get away from you as you prepare for the future of software development.
- How product security professionals can get involved with industry efforts to drive change.