Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future.
Jan 9, 2024
auto_awesome
Jay Bobo and Darylynn Ross discuss the shift from application security to product security. They emphasize the importance of effective communication and integrating security within development teams. The podcast challenges the current state of penetration testing and encourages a holistic approach to product security.
Collaboration and effective communication are vital for building a security-first culture and enhancing overall security posture.
Product security requires a holistic approach that encompasses the entire development process, including risk analysis, threat modeling, and effective communication of vulnerabilities to stakeholders.
Web application penetration testing needs improvement to provide more valuable and reliable results that go beyond compliance requirements and focus on business logic assessments.
Deep dives
Collaboration and Building a Security Culture
In the podcast episode, the importance of collaboration and building a security culture is highlighted. The speaker emphasizes the need for security professionals to work closely with developers and other stakeholders to foster a security-first mindset. This involves effective communication and collaboration, as well as a focus on optimizing for people and understanding their perspectives. By prioritizing collaboration and creating a strong security culture, organizations can enhance their overall security posture.
Moving Beyond AppSec: Embracing Product Security
The podcast explores the broader concept of product security, emphasizing that application security (AppSec) is just one component of it. The discussion highlights the need to shift from a narrow focus on AppSec to a holistic approach that encompasses the entire product. Product security involves integrating security considerations throughout the development process, incorporating risk analysis, threat modeling, and effective communication of vulnerabilities to senior leaders and engineers. By embracing product security, organizations can build a security-first culture and effectively address the evolving application security landscape.
Challenges with Web App Penetration Testing
The podcast raises concerns about the effectiveness of web application penetration testing. It highlights that many penetration tests lack depth and fail to provide meaningful insights beyond compliance requirements. The conversation stresses the importance of moving beyond black box and gray box testing approaches and focusing on business logic assessments. It advocates for improvements in the penetration testing domain to ensure more valuable and reliable results that help organizations mitigate vulnerabilities effectively.
Communicating Risk and Vulnerabilities
Effective communication of security risks and vulnerabilities is a key aspect discussed in the podcast. It emphasizes the need for security professionals to convey these issues to senior leaders and engineers in a business-oriented language. By tailoring the message to the audience, focusing on risk instead of technical details, and promoting collaboration, security professionals can enhance understanding and decision-making. The goal is to drive a risk-based conversation, enabling organizations to make informed choices and prioritize resources for risk mitigation.
Book Recommendation: 'How to Measure Anything in Cybersecurity Risk'
The podcast concludes with a book recommendation, 'How to Measure Anything in Cybersecurity Risk' by Douglas W. Hubbard and Richard Seiersen. This book is praised for its insights into risk management and offers practical guidance for assessing and quantifying cybersecurity risks. It promotes a systematic approach to measuring risks, enabling security professionals to make informed decisions based on data and analysis. The recommendation highlights the book's value in helping security practitioners broaden their perspective and enhance risk management practices within their organizations.
Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security requires a holistic approach and cautions against the current state of penetration testing in web applications. Darylynn encourages AppSec engineers to broaden their scope beyond individual applications to product security. With enlightening insights and practical advice, this episode thoughtfully challenges AppSec professionals with new ideas about application and product security.
Links: Jay recommends: How to Measure Anything in Cybersecurity Risk, 2nd Edition by Douglas W. Hubbard, Richard Seiersen https://www.wiley.com/en-us/How+to+Measure+Anything+in+Cybersecurity+Risk%2C+2nd+Edition-p-9781119892311
