The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources.
EP 17 — SolarWinds VP of Security Tim Brown: Behind the Scenes of the 2020 SolarWinds Breach
Those in IT, DevOps, and SecOps are all too familiar with the demands of a complex and dynamic technological landscape. For more than two decades, SolarWinds has helped technology professionals and organizations manage and adapt to an ever-expanding ecosystem of IT applications and infrastructure.
In this episode, Tim Brown, Vice President of Security at SolarWinds, gives us an insider view of the 2020 cyberattack where hackers slipped malicious code into the company's popular network management system and software program, Orion. He shares how his team worked tirelessly to resolve the breach, and how this incident has brought light to the software supply chain security issue and has helped strengthen the whole security industry.
Tim’s perspective on the dependence of security maturity on engineering process or development process maturity
How the SolarWinds team handled the 2020 breach
The importance of creating SBOMs for every application and learning to utilize the data to protect against security vulnerabilities
Tim’s advice for security leaders working with a supply chain
What supply chain security will look like in the next few years
SolarWinds hack explained: Everything you need to know
SolarWinds breach: Lessons Learned & Practical steps
EP 16 — Mukund Sarma: How Chime Built a Scalable Product Security Program
Chime, one of the fastest growing players in the financial technology space, has a mission of providing financial stability for their customers by eliminating many of the issues that come with traditional banking.
In today’s episode, Mukund Sarma, Director of Product Security at Chime, shares how he helps his team address the challenges in building security programs, and maintaining a solid and proactive security culture within the company.
How Mukund got started in cybersecurity.
His experience in building application security programs for FinTech companies.
Different approaches in risk mitigation in FinTech, product security, and application security.
What product security is and how its definition differs from company to company.
What skill set Mukund looks for when hiring engineering and security teams.
How Chime’s internal Rails application, Monocle helps their team with strategic engineering and security decision making.
Why Mukund opted for a gamified approach for their security processes.
Why Mukund's team decided to integrate GitHub badges within Monocle.
EP 15 — Tejpal Garhwal: How Pegasystems Scales AppSec
Pegasystems’ Pega Platform is a powerful low-code platform for AI-powered decisioning and workflow automation. The platform makes it easier for enterprises to work smarter, unify experiences, and quickly adapt. As a publicly traded company with a multi-billion dollar market cap, more than 6,000 employees, and a global customer base, security is critical to the success of the company.
In this episode of the Future of Application Security podcast, Harshil speaks to Pegasystems’ Director of Application Security, Tejpal Garhwal to learn about how Pega approaches AppSec. With a strong software development background and deep expertise in Application Security, Tejpal has spent his career managing multiple security and dev teams and setting the direction for information security application architecture, policy and processes within the organization.
Tejpal's career transition from Software Development to Application Security
Tejpal’s 30-60-90 day strategy in strengthening and standardizing security processes and building a secure SDLC
The benefits of shifting left and developing a good security culture mindset
Management and optimization of an application security operation on a large scale
How Tejpal encourages collaboration between the security and development teams
Using quality security gates/guardrails/etc. to ensure code integrity
Tejpal’s thoughts on the future of application security
EP 14 — Mark Stanislav: How FullStory Continuously Measures and Improves Its Product Security Maturity
FullStory’s mission is to equip organizations with the information they need to deliver perfect digital experiences. To deliver on that mission, their platform captures customer experience data based on understanding browser interactions. In order to capture that data, it must have a position on the end user’s browser which requires a high level of customer trust.
To ensure its service is delivered securely and that trust is maintained, the company has devoted significant resources to developing a robust Product Security Program.
On today’s episode of the Future of Application Security, Harshil speaks with FullStory’s VP of Product Security and Compliance, Mark Stanislav to learn more about how the company has approached building and scaling its Product Security Program.
How Mark defines Product Security.
Why FullStory runs maturity models every quarter.
How to use maturity models to demonstrate your Product Security Programs progress and justify further investment.
Why shifting-left is critical for all teams looking to scale their Product Security Program.
How FullStory built a culture of engineers who love security.
What most get wrong about vulnerability and risk management.
Why Product Security teams need to own the triaging and prioritization.
Ep 13 — Daniel Harvey: How to Shift from Application Security to Product Security
The pace of software development has increased dramatically over the past ten years and the traditional approach to application security has struggled to keep up. With modern development going from code to cloud within hours, manual security checks and code reviews run the risk of slowing down releases and creating more tension between developers and security teams.
To reduce this friction, organizations are shifting from the traditional application security approach to a more modern approach where security policies and controls are embedded in developer workflows.
To learn more about this shift, in today’s episode of the Future of Application Security, Harshil speaks to Daniel Harvey, an industry veteran with more than 13 years in AppSec. Most recently, Daniel was the Director of Product Security at InVision. Prior to InVision, Daniel worked on AppSec teams at organizations including Clayton Homes, Citi, Elavon, and Discovery.
Daniel’s shift from application security to product security
The importance of building default security features within a product
How to make product security a business enabler
The key changes in the application security landscape
How to build the relationship between security and development and how to find balance in collaboration
The need to map and tie code ownership to identity management systems
EP 12 — Rajat Bhargava: How Stripe Built a Highly Scalable AppSec Program
Stripe is the most valuable private startup in the United States with a market valuation of more than $95 billion. With more than 2 million customers spread across 46 countries and nearly 10,000 employees, the scale of Stripe is hard to fathom. To retain its position as the market leader, Stripe must continue to rapidly ship new products while at the same time ensuring those products are secure.
To learn more about how Stripe has scaled their AppSec Program to keep up with the pace of development, in today’s episode, Harshil speaks with Stripe's Application Security Manager, Rajat Bhargav. Prior to joining Stripe in 2021, Rajat worked as a software engineer at Citi and Monsanto before transitioning to security where he has worked on AppSec teams at companies like eBay, Walmart, Netflix, and Twitter.
How to get developers engaged and interested in security (based on Rajat’s experience as a developer).
How Stripe uses context to help developers prioritize the vulnerabilities that actually matter.
How secure-by-default/security guardrails makes it easier for developers to not have to think too much about security.
Three pieces of advice for up-and-coming AppSec professionals and leaders.
Scaling Appsec at Netflix
Awesome podcast! Hot