Eptura's Sean Finley on Building Risk-Based Application Security Programs

What if vulnerability management was less about filling backlogs with findings and more about strategic risk reduction? Sean Finley, Director of Application & Product Security at Eptura, brings a refreshing perspective to application security to his conversation with Casey on this episode of Ahead of the Breach. 

Shaped by years of experience as both a software analyst and security leader, his approach challenges the traditional "dump truck of data" mentality, instead advocating for thoughtful prioritization and strong stakeholder partnerships. From building bridges with development teams to making the case for security investments to business leaders, Sean shares practical wisdom for creating AppSec programs that truly serve organizational goals while keeping risks in check.

Topics discussed:

• Understanding the limitations of traditional vulnerability management and why flooding backlogs with findings doesn't equate to effective security.
• Building strategic partnerships with business stakeholders to ensure security efforts align with organizational priorities and risk tolerance.
• Integrating security tools seamlessly into developer workflows to reduce friction and increase adoption across engineering teams.
• Advocating for security considerations during the design phase to prevent costly fixes and potential data breaches later.
• Managing the delicate balance between development speed and security requirements in modern Agile environments.
• Creating effective risk-based approaches to vulnerability prioritization based on business context and threat intelligence.
• Developing strategies for earning developer trust and respect while educating teams about security concepts and threats.
• Implementing repeatable security processes that work across different release cadences, from quarterly to daily deployments.
• Building quality assurance into the software development lifecycle through consistent security testing and validation.
• Fostering a collaborative security culture that emphasizes enablement rather than obstruction or purely compliance-driven approaches.