Lenny Zeltser is as brilliant as he is prolific – a true thought leader in #security and #applicationsecurity in particular. Lenny, holds a rare post as the #CISO of a serious and successful security business, Axonius. He builds security programs from within a security company! 

On this episode of Seeding AppSec, we discuss with Lenny what lessons he has learned from this unique perspective. With your hosts: Nir Valtman (CEO of Arnica) & Simon A. Wenet (Head of Growth at Arnica)

What we cover in this episode:

[00:00 - 10:25] - Security: An Interdisciplinary Pursuit

• Lenny recalls his early career experiences with firewalls, networking, and intrusion detection. He was drawn to security as an intersection of multiple disciplines. 

• Lenny discusses his transition from enterprise security consulting to building security services for small businesses. It required a different cost and customer focus.

[10:26 - 21:28] - The Duality of Product Management

•  As a product manager, Lenny focused more on business objectives like revenue and customer needs rather than strictly security best practices.  

• Lenny emphasizes aligning security program efforts to overall company goals, while carefully prioritizing deficiencies.

[21:29 - 39:22] - Bridging the Security & Product Divide

• Having security experience helps Lenny empathize with product teams when providing feedback from an internal user perspective.

• Building a security program at a security company raises customer expectations for credibility. But it also provides leverage to get stakeholder buy-in.

• Lenny stresses adding context to scanner findings to properly prioritize vulnerabilities over just risks.

• Catching issues earlier before tickets are needed demonstrates shifting security left to development teams.

 [39:23-42:05] - Lightning Round & Closing Thoughts.

• Lenny shares fun facts about how he takes his coffee, advice to young security professionals, and tells us more about his blog and company.

Connect with Lenny!

LinkedIn: https://www.linkedin.com/in/lennyzeltser/

Blog: https://zeltser.com/

Check out Axonius’s services at: https://www.axonius.com/

We hope you enjoyed this edition of Seeding AppSec! Check out the latest trends in application security discussed with our esteemed guests from around the globe. Don't miss any future episodes; subscribe to Seeding AppSec on Spotify, YouTube, Google Podcasts, or Apple Podcasts.

This podcast is proudly brought to you by Arnica, a revolutionary application security solution reshaping how AppSec teams tackle risk identification and mitigation. Explore Arnica.io for detailed information about their cutting-edge security solution, featuring real-time pipelineless risk identification and git posture management. Protect your developers, code, and products without compromising development velocity.

Stay connected and informed by following Arnica.io on LinkedIn and Twitter for the latest updates and insights on application security.

Thank you for joining us on this enlightening journey into the world of Application Security! Remember to prioritize security and continue seeding AppSec in your organizations. Until next time, stay secure and keep innovating!

Key Quotes

"If you don't know how to manage your own security, then how can you help us manage ours with your solutions?" - Lenny Zeltser

"If you are able to catch a new capability that's not even incorporated into the code branch and stop it early, the developer is much more likely to react positively and quickly and to actually act on the information." - Lenny Zeltser

In our world of coding, how we think and act might be our best shield in the mix of tech and safety. It's not just the lines of code that matter, but the heart behind them. As tech keeps changing, our choices and teamwork become our guiding light, shaping a safer digital space.

In today’s episode of the Seeding AppSec, we explore the compelling parallels between software development and security with Cassio Goldschmidt. Cassio unveils the duality of backlog management and how often, in the rush of prioritization, numerous tickets find themselves lost in the shadows. But beyond tools, tactics, and processes, he delves deep into the critical role culture plays. He dives into why fostering a culture of security transcends mere compliance and becomes the bedrock for genuine progress and empowerment. And as we wrap, Cassio offers golden nuggets of advice for aspiring security professionals and shares a personal recommendation that promises serenity amidst chaos.

Whether you're a developer, a security enthusiast, or just curious about the nexus between the two, this episode promises insights that will both enlighten and entertain.

What we cover on the episode:

[00:00 - 21:18] Empowering Developers and Shifting Left

• Empowering developers is crucial for secure coding and design, fostering innovation and ownership.
• Shifting left in security involves early detection and prevention of vulnerabilities, reducing future complexities and embarrassment.
• Trustworthy automation tools are vital for effective garbage-in, garbage-out prevention in the development process.
• Ensuring Git posture is essential, including verifying code reviewers' identities and detecting unusual comment styles to enhance security.

[21:19 - 37:10] Security Beyond Developers

• Security isn't just about developers; it also involves aspects like branching strategy, pull request reviews, and status checks.
• Address vulnerabilities early during development, as fixing them in a backlog can lead to neglect and increased risk.
• Aligning incentives between security and development is crucial for better security outcomes and involves education, automation, and empathy.
• Cultivating a culture of security is essential, fostering awareness and collaboration between security and development teams.

Connect with Cassio!

LinkedIn: https://www.linkedin.com/in/cassiogoldschmidt/

Check out ServiceTitan’s services at: https://www.servicetitan.com/

We hope you enjoyed this edition of Seeding AppSec! Check out the latest trends in application security discussed with our esteemed guests from around the globe. Don't miss any future episodes; subscribe to Seeding AppSec on Spotify, YouTube, Google Podcasts, or Apple Podcasts.

This podcast is proudly brought to you by Arnica, a revolutionary application security solution reshaping how AppSec teams tackle risk identification and mitigation. Explore Arnica.io for detailed information about their cutting-edge security solution, featuring real-time pipelineless risk identification and git posture management. Protect your developers, code, and products without compromising development velocity.

Stay connected and informed by following Arnica.io on LinkedIn and Twitter for the latest updates and insights on application security.

Thank you for joining us on this enlightening journey into the world of Application Security! Remember to prioritize security and continue seeding AppSec in your organizations. Until next time, stay secure and keep innovating!

Key Quotes

"Empowering People is always a good idea. If people trust that you know your stuff, that you are not throwing things over the fence for them, they will come and ask your opinion, and they will ask, how to best create or develop solutions." – Cassio Goldschmidt

"Creating a culture of security goes way beyond just development, but really the entire company. And you really start creating awareness." - Cassio Goldschmidt

The evolution of Application Security stands as a testament to our relentless pursuit of cybersecurity. From its inception, rooted in basic coding blunders, to the intricate labyrinth of challenges we navigate today, the journey of AppSec is nothing short of captivating. Today, we're thrilled to host Teja Myneedu. With over two decades in the industry, Teja provides a riveting account of the transformation of Application Security from its early phases to the present. Through his expert perspective, we explore the rise and sophistication of AppSec, delving into threat modeling and the nuances of contemporary cyber threats. Teja not only chronicles the evolution but also underscores the socio-economic impacts on security trends, shares stories from landmark breaches, and imparts crucial lessons learned along the way.

With a blend of invaluable insights and forward-thinking, this episode promises a deep dive into the past, present, and anticipated trajectory of AppSec.

What we cover on the episode:

[00:00 - 25:01] AppSec Innovation: Navigating Solutions and Philosophies

• Teja emphasizes seeking solutions that stretch beyond conventional approaches, inspiring innovative problem-solving within AppSec.
• When adopting a new solution, focus on evangelizing the innovative philosophy internally first. Show how the solution improves existing practices and provides empirical metrics, making it easier to measure and communicate progress.

·      Teja's approach involves internally promoting innovative philosophies, fostering dialogue, and demonstrating solutions' potential to elevate AppSec practices.

[25:02 - 43:25] Shifting Security Left: Prioritizing Prevention, Empathy, and Innovation

·      Focus on shifting security left in the development process to prevent vulnerabilities, not just finding and fixing them later.

·      Emphasize developer empathy, provide real-time help, and prioritize problems within the context of an organization.

Innovative security solutions prioritize user experience, collaboration, and contextual understanding, moving beyond narrow issue-focused tools.

Connect with Teja!

LinkedIn: https://www.linkedin.com/in/myneedu/

Check out his website at: https://teja-myneedu.com/about

We hope you enjoyed this edition of Seeding AppSec! Check out the latest trends in application security discussed with our esteemed guests from around the globe. Don't miss any future episodes; subscribe to Seeding AppSec on Spotify, YouTube, Google Podcasts, or Apple Podcasts.

This podcast is proudly brought to you by Arnica, a revolutionary application security solution reshaping how AppSec teams tackle risk identification and mitigation. Explore Arnica.io for detailed information about their cutting-edge security solution, featuring real-time pipelineless risk identification and git posture management. Protect your developers, code, and products without compromising development velocity.

Stay connected and informed by following Arnica.io on LinkedIn and Twitter for the latest updates and insights on application security.

Thank you for joining us on this enlightening journey into the world of Application Security! Remember to prioritize security and continue seeding AppSec in your organizations. Until next time, stay secure and keep innovating!

Key Quotes

"True developer empathy is realizing... How can we actually make it so that it's not a problem in the first place?" – Teja Myneedu.

"I fundamentally believe in buying over building if I can. If there is a problem worth solving, there's a business that's being built around it. And it's a matter of finding that business, but if that version of the problem isn't big enough to be solved, I try to build solutions around it.” – Teja Myneedu.

Ever wondered how AI could revolutionize software security? In this digital era, the fusion of AI and coding might just be the key to a more secure software landscape. Dive into this episode of the Seeding Appsec podcast as we sit down with software security maven, Mark Stanislav, and unpack the future of generative artificial intelligence in software engineering. We delve deep into the buzz surrounding tools like GitHub Copilot and its potential in reshaping how developers code. Amid the awe and criticisms, Mark paints a picture of a future where AI doesn't just assist but also safeguards against security flaws. As the lines between technology and security blur, he underlines the essence of prompt engineering and its monumental role in the age of intricate tech stacks. But what does this mean for the budding security professionals? Mark shares invaluable advice, advocating for passion in technology as the foundation for a robust security career.

What we cover on the episode: [00:00 - 23:14] Collaborative Approaches and Tailored Interventions • Application security is evolving towards a holistic approach, emphasizing early education, shifting left, and partnership with engineers. • Security interventions should be tailored to different stages of the software development lifecycle, with high value and low false positives. • Effective collaboration means understanding engineers' tools, workflows, and preferences, to integrate security seamlessly. [23:14 - 44:33] Shaping Secure Collaboration • Enhancing security involves integrating various signals like developer security, software composition analysis, and more into a singular actionable platform. • Collaboration between security and product teams is vital for delivering value, enhancing trust, and ensuring security is seen as revenue-generating rather than a cost center. • Generative AI tools, like GitHub Copilot, could evolve to assist developers in writing secure code by suggesting secure coding patterns and providing security-related explanations. [43:34 - 47:57] Lightning Round! • If you were the leader of an anonymous hacker group, what would it be called? Mark would name the anonymous hacker group "null bite" because it's obfuscated and malicious. • How do you take your coffee? Mark takes his coffee hot with Splenda and occasionally almond milk. • What advice would you give a young aspiring security professional? Mark advises aspiring security professionals to focus on a passion for technology first and build that as a foundation. • Michigan or Michigan State? Michigan. Go blue! Connect with Mark! LinkedIn: https://www.linkedin.com/in/mstanislav/ Check out his website at: https://www.uncompiled.com/#/ We hope you enjoyed this edition of Seeding AppSec! Check out the latest trends in application security discussed with our esteemed guests from around the globe. Don't miss any future episodes; subscribe to Seeding AppSec on Spotify, YouTube, Google Podcasts, or Apple Podcasts. This podcast is proudly brought to you by Arnica, a revolutionary application security solution reshaping how AppSec teams tackle risk identification and mitigation. Explore Arnica.io for detailed information about their cutting-edge security solution, featuring real-time pipelineless risk identification and git posture management. Protect your developers, code, and products without compromising development velocity. Stay connected and informed by following Arnica.io on LinkedIn and Twitter for the latest updates and insights on application security. Thank you for joining us on this enlightening journey into the world of Application Security! Remember to prioritize security and continue seeding AppSec in your organizations. Until next time, stay secure and keep innovating! Key Quote “Don't be too excited to be a security hacker person. Go be excited about all the capabilities and creativity that comes from engineering. And then figure out how security is applicable.” – Mark Stanislav

Embark on an enthralling journey through the captivating world of secure software development with Seeding AppSec's inaugural episode!

Join seasoned security executive and CISO at The Aaron's Company, David Nolan, as he spills the beans on building robust software systems while host Simon Wenet and Arnica Nir Valtman, CEO at Arnica, engage in an enlightening dialogue exploring the evolving landscape of application security. The discussion uncovers the role of automation in managing risk, emphasizing the balance between human ingenuity and automated processes. David highlights two key components of a successful application security program – quick response for high-risk findings and ownership by development teams. He emphasizes the significance of relationships, trust, and adaptability in modern AppSec practices. Looking into the future, David envisions a developer-centric approach, AI integration, and supply chain protection as key trends in the next five years.

What we cover on the episode:

[00:00 - 15:24] Building an Effective AppSec Program

• Building an effective AppSec program starts with understanding how development works and forming strong relationships with development teams.
• Prioritize targeted security outcomes over tools and requirements to align with business goals.
• Be intellectually curious and engage with business leaders, developers, and security champions to identify critical applications and business priorities.

[15:24 - 33:54] Driving Success in Application Security

• Integrations and dependencies of critical apps are often overlooked, leading to potential business disruptions.
• Successful AppSec programs focus on collaboration and partnership with development teams.
• Automation is crucial for managing risk, but human creativity and ownership remain essential in application security.

[33:54 - 41:35] The Evolving Landscape of AppSec

• The evolution of security tools, especially open-source ones, can significantly improve cybersecurity capabilities.
• AppSec professionals should focus on becoming trusted risk advisors and communicating security in business terms.
• Building a strong community of peers and mentors through conferences and networking is valuable for career growth and knowledge sharing in the security industry.

Connect with David! LinkedIn: David Nolan

Check out The Aaron’s Company

We hope you enjoyed this edition of Seeding AppSec! Check out the latest trends in application security discussed with our esteemed guests from around the globe. Don't miss any future episodes; subscribe to Seeding AppSec on Spotify, YouTube, or Apple Podcasts.

This podcast is proudly brought to you by Arnica, a revolutionary application security solution reshaping how AppSec teams tackle risk identification and mitigation. Explore Arnica.io for detailed information about their cutting-edge security solution, featuring real-time pipelineless risk identification and git posture management. Protect your developers, code, and products without compromising development velocity.

Stay connected and informed by following Arnica.io on LinkedIn and Twitter for the latest updates and insights on application security.

Thank you for joining us on this enlightening journey into the world of Application Security! Remember to prioritize security and continue seeding AppSec in your organizations. Until next time, stay secure and keep innovating!

Key Quotes "I encourage all of my teams [AppSec professionals] to get out there, go to... targeted conferences... where you'll meet your peers and develop those relationships. We're all fighting the same criminal, the same evil. And so, we should be able to work together.” – David Nolan

"Don't just start with tools when beginning an AppSec program. Instead, focus on learning, understanding, and building relationships. Identify champions and let them pave the way for success as you grow the program.” – David Nolan

In "Seeding AppSec", we dive deep into the cutting-edge realm of application security as we navigate the challenges and opportunities presented by contemporary digital landscapes. We'll be engaging with global AppSec thought leaders and practitioners, unearthing the nuances of the latest trends that every tech enthusiast should be aware of.

What Will You Learn?

• The emerging trends in application security and how they can potentially impact the future of digital interactions.
• Practical insights from leading AppSec professionals who have hands-on experience with modern challenges and solutions.
• How Arnica's transformative application security solutions, such as real-time pipelineless risk identification and git posture management, are revolutionizing the way AppSec teams function and safeguard digital assets.

Why Is This Relevant In Today's World? Application security is no longer a niche domain but an essential component of the digital ecosystem. With cyber threats evolving at an unprecedented pace, understanding the intricacies of AppSec is crucial for businesses, developers, and consumers alike. By staying informed, we not only ensure the robustness and safety of our digital solutions but also bolster the trust and reliability required for today's interconnected world. Join us to stay ahead of the curve and fortify your digital foundations!

For more information visit arnica.io