The Elephant in AppSec Conference Panel Highlight: Why scaling AppSec is harder than you think

Key takeaways from highly experienced industry experts on how to scale application security from the panel in Track 1 of The Elephant in AppSec Conference.

The Elephant in AppSec Conference Panel Highlight: Why scaling AppSec is harder than you think

Three panelists. Decades of experience. One common goal: how do you effectively scale application security?

"If we don't know what we want to build and if we don't know how we want to measure it, we won't get any support from leadership" - Alina Yakubenko, Senior Application Security Engineer @ Toast, Inc.

The highly anticipated panel discussion featured on Track 1 of The Elephant in AppSec Conference, which you can now watch back here. With each panelist speaking from invaluable personal experiences, this article breaks down their top takeaways from when they scaled companies' application security protocols and security culture, giving you the full rundown of everything that works, and everything that doesn't.

Track 1 Panel Speakers

Shift left with everything and start with metrics

"[I worked on] shifting the ownership of risk from security teams onto engineering teams so that we can tackle risks in a timely manner and build a culture of trust" - Ariel Shin, Security Engineering Manager at Datadog

Alina emphasizes that you have to shift left with everything. So it's not just about building security earlier into the software development lifecycle (SDLC), though that of course remains important, but before you even begin to build a program, you have to outline what goals you want to achieve by the end and with what metrics are you going to measure those goals.

💡
Find out more about shift left here.

This goes hand-in-hand with working with the people in your teams, across security and development and across all levels of the business. People have passions, and passions become goals, so by recognizing what is important to the different players across the company, you can almagate these to create the top security priorities so that all security doesn't get lost in the noise.

💡
Ariel talks more about the project of "democratizing vulnerability management" in her Elephant in AppSec podcast episode here.

How do you communicate the value of security at scale, and the subsequent time and financial investments it takes? Metrics. With clear measures of how these security priorities will add value to a business, investing in security at scale can become a no-brainer, which then helps get the backing of leadership, who can see the clear value of implementing security. Ariel highlights that "data-driven decisions" can be crucial here, so you could bring in business logic testing and the harnessing of AI to configure application security testing precisely to the company's specific needs.

💡
Escape's latest report uncovering 30,000 uncovered APIs in the Fortune 1000 further highlights the urgent need for security at scale

Create a culture around risk

So you have your priorities, but how do you implement them across thousands of developers, large security teams, and layers of leadership approvals? As Mel says, it's a lot of gathering requirements, interviewing across the company, and you scale on experience and exposure to justify why you need certain tools.

"I had to be the [AppSec] therapist, not the architect, not the CIO. It's like, OK, let's walk through. Why do you need a tool? Let's go ahead." - Mel Reyes, Global CIO and CISO turned Executive Coach and Advisor, Creator of The Fellowship of Digital Guardians

By understanding everybody's pain points and addressing them, you can create a culture around the risk that is perfectly suited to the company. Ariel highlights that it is then about how you interact with engineers, promote awareness on managing and triaging risks to remediate them as quickly as possible. Part of this risk culture is a culture of support, which means reducing the cognitive load on engineers wherever you can.

💡
Agentless API discovery is one way of hugely reducing cognitive load

You achieve this by recognizing the value of all of the different tools in your toolbox, from training to threat modeling to automation for secure defaults. Where the secure defaults don't work for your business needs, security and developers will then come together to create a solution when there is a culture of risk with the shared goals already outlined.

Mentorship and education are part of your security toolbox

Your cybersecurity toolbox is not just technical elements

Security tools are not just lines of code. Having already emphasized the value of recognizing pain points and creating a culture around risk, you also have to recognize that not everybody cares about security. There can be cultural obstacles, where maybe the leadership in application development don't allocate sufficient time to clearing backlogs of critical issues. It then becomes overwhelming to remediate, so we come back to the importance of a security culture from the very beginning. This is where mentorship becomes key.

Mentorship is huge for scaling because often people may try and build a security program, fail, and give up. What the panelists found worked was allowing people to make mistakes and then coaching and mentoring each other to share knowledge and build the culture. This is why education is crucial and must be built into the security framework. As Alina often heard people say, they want to be proficient in security but are unsure where to begin. Building education and mentorship within the framework underlines that the business is passionate about security and wants it at scale. Doing so brings an energy that is transmitted across teams and across levels and helps massively with communication too.

"We have to rely on people, we have to trust them, we have to enable them and let them make mistakes sometimes." - Alina Yakubenko, Senior Product Security Engineer at Toast, Inc.

It's unfair to expect every software engineer to have a passion for security, but championing those who do to lead their teams and influence the others is how you can scale application security. It's of course unfeasible to hire as many security engineers as you may need to handle everything, so it comes down to building up the existing passions for security within the company and making sure that passion spreads. Rewards can be a great way of achieving this. And they don't have to require massive budgets. Many companies use public recognition, or security and mentorship could even be part of people's opportunities for growth.


With innumerable invaluable insights from this panel, but also across the entire Elephant in AppSec Conference, make sure not to miss out on this one-stop shop for all of the biggest topics in application security today.


💡 Want to discover more?