8 episodes
Let's Talk AppSecOps ArmorCode
-
- Technology
Agile DevOps, Cloud Deployment, Microservices, and Open Source have all dramatically accelerated application delivery and complexity. Today’s AppSec teams, outnumbered by as much as 100:1 by developers, depend on a collection of point security products and siloed manual processes. This leaves them struggling to gain the visibility, insight, and process scale they need to identify and protect the always changing and growing application risk surface.
This resulting AppSec Chaos means applications ship fast without the assurance of shipping securely, leaving the organization at risk of breaches and losses.
Welcome to the Let's Talk AppSecOps show, where we bring discussions with security thought leaders and practitioners and software development minds from leading enterprises to talk about their concerns, case studies, and best practices in operationalizing application security.
This show is hosted by ArmorCode experts. It talks about how security and development teams can work together and implement practical security measures.
Mark Lambert is a AppSecOps Evangelist and VP of Products at ArmorCode, breaking down the communication barrier between Developers and Security experts to help organizations adopt and scale security practices within their development teams.
Mark is passionate about applying technology innovations to solving real world business problems. For the last 20 years, he has been working with the world's leading brands to streamline the delivery of secure, reliable and compliant software applications across Enterprise IT and Embedded/IoT markets.Mark has been invited to speak at numerous industry events, and been published in industry media.
Luis is a Senior Solutions Engineer at ArmorCode and he comes from a background that includes names big and small. His technical skills have been forged in the fires of prospects and clients alike. Luis's diverse skill set includes the ability to explain technology to non-technical audiences, set up a “pizza box” in a freezer, cook a perfect elk steak over a mesquite-fueled grill, and spend late nights in a war-room!
His plethora of application security skills and ability to social engineer the feathers off an owl, serves him well as our Senior Solutions Engineer!
Nikhil Gupta is co-founder and CEO of ArmorCode. He is a successful serial entrepreneur with more than 25 years of experience. Prior to founding ArmorCode, Nikhil was CEO and Co-founder of Avid Secure which was acquired by Sophos. Avid Secure built a marketing-led AI-powered multi-cloud security and compliance platform. Nikhil has held several leadership positions in VMWare, Cisco, ForeScout, Ericsson (joined through the acquisition of Entrisphere), Alcatel, And Bell Labs. Nikhil holds an MBA from Columbia Business School and BS and MS in Computer Science.
LingRaj Patil is the Head of Marketing at ArmorCode and a renowned speaker and business growth leader with 20+ years of experience spanning engineering and marketing in Seed, Series A/B/C/D, Unicorn, and Fortune 500 companies. He is a guest speaker on Marketing and Entrepreneurial Strategy at Stanford University. He has a passion for building communities that bring thought leaders and practitioners together to rally around the challenges and opportunities they present. He is also the Executive Chair of the Purple Book Community, a community of software security leaders who are on a mission to build more secure software.
Let this show be your guide to hearing inspiring stories of leaders building secure software against odds, hearing insightful case studies, and getting to know more about the leaders who make it all happen. With the software demand increasing nonstop, now is the right time to tune in.
Find show episodes at www.armorcode.com/lets-talk-appsecops.
-
Gates to Guardrails
Developers don't want to be slowed down, but security teams don't want development speed driving AppSec posture off a cliff. The compromise: security guardrails instead of release gates. With a basis of mutual trust that only critical findings will be sent for remediation and all critical findings will be remediated, friction between teams can be mitigated. Avoiding alert fatigue is one thing both security and developer talent can agree on.
About ArmorCode
We develop, sell, and deliver the world’s first and leading AppSecOps platform to our customers, along with the expertise, support and community they need to ship secure software and ship it fast. The ArmorCode platform brings together powerful AppSec Posture, Vulnerability, and Compliance Management with DevSecOps workflow automation.
_____________________________________________________
Follow us
www.armorcode.com
LinkedIn: https://www.linkedin.com/armorcode
Twitter: https://twitter.com/code_armor
_____________________________________________________
About AppSecOps
What is AppSecOps? https://www.armorcode.com/what-is-appsecops
The State of AppSecOps Report: https://www.armorcode.com/state-of-appsecops-2022
AppSecOps Research from Enterprise Strategy Group: https://www.armorcode.com/esg-appsecops-showcase -
Factors in Prioritization
Prioritizing threat/vulnerability findings takes thought, a satellite cam, and a microscope if you don't have an AppSecOps platform at work. There's a lot to consider: criticality variance across tools (they don't come normalized out of the box), threat intelligence on CVEs, and tool/technique weight factors, for starters.
A major concept is the context around the app/sub-app/module associated with a finding. The software's dependencies, environment, provenance, and the sensitivity of its data are just a few values that affect priority. That context dictates resource alignment, while risk scoring influences specific tactical activities thereafter.
About ArmorCode
We develop, sell, and deliver the world’s first and leading AppSecOps platform to our customers, along with the expertise, support and community they need to ship secure software and ship it fast. The ArmorCode platform brings together powerful AppSec Posture, Vulnerability, and Compliance Management with DevSecOps workflow automation.
_____________________________________________________
Follow us
www.armorcode.com
LinkedIn: https://www.linkedin.com/armorcode
Twitter: https://twitter.com/code_armor
_____________________________________________________
About AppSecOps
What is AppSecOps? https://www.armorcode.com/what-is-appsecops
The State of AppSecOps Report: https://www.armorcode.com/state-of-appsecops-2022
AppSecOps Research from Enterprise Strategy Group: https://www.armorcode.com/esg-appsecops-showcase -
Vulnerability Management – What? When? How?
Vulnerability Management looks different from business to business. What qualifies a risk as acceptable or not? When should confirmed vulns be fixed by? Perhaps most distressingly, how do we know when vulnerability has actually been remediated? Luis Guzmán talks about the different aspects of vulnerability and its most common musts:
a workflow framework that security & dev agree onlive critical finding notificationsactive remediation monitoringvisibility throughout ticket lifecycles "from soup to nuts"
About ArmorCode
We develop, sell, and deliver the world’s first and leading AppSecOps platform to our customers, along with the expertise, support and community they need to ship secure software and ship it fast. The ArmorCode platform brings together powerful AppSec Posture, Vulnerability, and Compliance Management with DevSecOps workflow automation.
_____________________________________________________
Follow us
www.armorcode.com
LinkedIn: https://www.linkedin.com/armorcode
Twitter: https://twitter.com/code_armor
_____________________________________________________
About AppSecOps
What is AppSecOps? https://www.armorcode.com/what-is-appsecops
The State of AppSecOps Report: https://www.armorcode.com/state-of-appsecops-2022
AppSecOps Research from Enterprise Strategy Group: https://www.armorcode.com/esg-appsecops-showcase -
Getting Started With AppSec
It's a common misconception that the first step to building an application security program is sorting out the tooling. In reality, security tools translate well, and most early-game head-scratching will center on process. It helps to start small: SCA (source composition analysis) being an un-intensive and non-invasive first measure is a great launch point. This is not only due to the great availability of SCA tools, but also because its ease of adoption primes security teams before they pursue more investigation- and work-heavy practices like SAST, DAST, IAST, etc.
About ArmorCode
We develop, sell, and deliver the world’s first and leading AppSecOps platform to our customers, along with the expertise, support and community they need to ship secure software and ship it fast. The ArmorCode platform brings together powerful AppSec Posture, Vulnerability, and Compliance Management with DevSecOps workflow automation.
_____________________________________________________
Follow us
www.armorcode.com
LinkedIn: https://www.linkedin.com/armorcode
Twitter: https://twitter.com/code_armor
_____________________________________________________
About AppSecOps
What is AppSecOps? https://www.armorcode.com/what-is-appsecops
The State of AppSecOps Report: https://www.armorcode.com/state-of-appsecops-2022
AppSecOps Research from Enterprise Strategy Group: https://www.armorcode.com/esg-appsecops-showcase -
Short Release Cycles: Pros & Cons
A short release cycle has myriad benefits: faster delivery to market for new functionalities, and swiftly-improving accuracy toward goals (what we call Agile) chief among them. And from a security perspective, a quick reaction time to zero-day threats thanks to a well-oiled assembly line is invaluable. But, of course, there are drawbacks: like a lack of cohesion and communication between security and dev teams, and unequal pressure on AppSec to quicken their side of SLAs. As Luis points out, we discovered in our State of AppSecOps Report that the ship cycle sweet spot is 1-2 weeks (most often 2), wherein security can be effectively balanced with engineering initiatives.
About ArmorCode
We develop, sell, and deliver the world’s first and leading AppSecOps platform to our customers, along with the expertise, support and community they need to ship secure software and ship it fast. The ArmorCode platform brings together powerful AppSec Posture, Vulnerability, and Compliance Management with DevSecOps workflow automation.
_____________________________________________________
Follow us
www.armorcode.com
LinkedIn: https://www.linkedin.com/armorcode
Twitter: https://twitter.com/code_armor
_____________________________________________________
About AppSecOps
What is AppSecOps? https://www.armorcode.com/what-is-appsecops
The State of AppSecOps Report: https://www.armorcode.com/state-of-appsecops-2022
AppSecOps Research from Enterprise Strategy Group: https://www.armorcode.com/esg-appsecops-showcase -
The SBOM Movement
The SBOM Movement has gained huge attention in just half a year. Whether as an external dependency of a developing product or a mission-critical tech stack component, inbound software has provenance (and often, vulnerabilities) that need to be reported for security downstream. US and foreign government support, as well as executive action, have done so much to stir awareness of these supporting docs. Many are ready to embrace it as standard—but 2/3ʳᵈˢ or more organizations still are unaware of new SBOM mandates. Luis Guzmán explains why the future for SBOMs is bright but still has ways to go before reaching mass supply chain adoption.
About ArmorCode
We develop, sell, and deliver the world’s first and leading AppSecOps platform to our customers, along with the expertise, support and community they need to ship secure software and ship it fast. The ArmorCode platform brings together powerful AppSec Posture, Vulnerability, and Compliance Management with DevSecOps workflow automation.
_____________________________________________________
Follow us
www.armorcode.com
LinkedIn: https://www.linkedin.com/armorcode
Twitter: https://twitter.com/code_armor
_____________________________________________________
About AppSecOps
What is AppSecOps? https://www.armorcode.com/what-is-appsecops
The State of AppSecOps Report: https://www.armorcode.com/state-of-appsecops-2022
AppSecOps Research from Enterprise Strategy Group: https://www.armorcode.com/esg-appsecops-showcase