In the episode "Reactive to Proactive" of the podcast Secrets of AppSec Champions, host Chris Lindsey engages with Shashank Balasubramanian, the Head of Application Security at Tripadvisor. Shashank has been managing the application security program at Tripadvisor for over four years, during which he has overseen the transition from a reactive to a proactive security approach. The conversation delves into the distinct characteristics of reactive vs. proactive security programs, highlighting the importance of integrating security measures early in the development process and fostering strong relationships between security teams and developers.

They discuss the significance of implementing the right security tools, such as Software Composition Analysis (SCA) tools, to address third-party vulnerabilities effectively and integrating these tools into the CI/CD pipeline. Shashank emphasizes the value of building a security-aware culture within the development teams through regular training and the establishment of a Security Champion program. These champions, who are trained in security best practices, help scale the security team's efforts by embedding themselves within various development teams, facilitating a proactive approach to security.

The episode also touches on the importance of executive engagement and effective communication regarding the security landscape. By providing detailed reports and metrics to executives, security teams can ensure there is a clear understanding of the program's ROI and reduce the likelihood of surprise incidents. This high-level visibility and proactive security posture ultimately lead to a more robust and efficient security program, enabling the organization to address vulnerabilities before they become significant issues. The conversation sheds light on practical strategies and tools that can help security professionals transition from reactive to proactive security measures, fostering a more secure and resilient organization.

Additional Links:
This podcast has been provided by: Mend.io

Chris Lindsey's LinkedIn account for daily content: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive - Public community that Chris Lindsey runs: https://www.linkedin.com/company/appsec-hive

In this episode of "Secrets of AppSec Champions" titled "Security Champions," host Chris Lindsey engages with Jigar Shah, an executive global director in the IT identity, access, and application security space, to explore the critical importance of cybersecurity in our increasingly digital and interconnected world. The episode underscores the heightened awareness of security issues among both technical and non-technical individuals. Jigar emphasizes the necessity of ingraining a robust security culture within organizations, stressing the roles of training, resource allocation, and clearly defined responsibilities for security champions. Meanwhile, Chris discusses the initial challenges in launching security programs and highlights the importance of integrating influencers into security teams with transparent communication.

The conversation extends to framing security as an investment rather than a cost, aiming to break down silos between security and development teams. Jigar and Chris both emphasize that with the rise of AI technology, there is an increasing need for integration, collaboration, and healthy debate to drive innovation. Effective communication, continuous training, and development support are deemed essential for empowering security champions within a company. They also discuss ways to incentivize security roles through financial rewards, public recognition, and by bringing dispersed teams together, ensuring that security remains a priority even over product releases. Leaders are called upon to educate and hold teams accountable for the risks and business outcomes associated with inadequate security practices.

The episode concludes with insights into the framework and governance required to run successful security champion programs, emphasizing the need for clear objectives and monitoring. Jigar advocates for influencing without authority by fostering cross-functional meetings and executive buy-in to elevate cybersecurity awareness. Chris suggests recruiting volunteers with a strong desire to learn for the security champion program and underscores the importance of executive support and selecting champions with good technical and communication skills. The episode wraps up with a call-to-action for listeners to subscribe, leave ratings and reviews, and Chris's closing remarks on cultivating a culture where security is everyone's responsibility.

Topics and Time Stamps:
00:00 Enabling Business Success through IT Leadership

05:34 The Role of Executive Buy-In in Program Success

08:46 Effective Strategies for Recruiting Security Champions

11:06 Encouraging Cybersecurity Awareness and Engagement in Organizations

16:54 Advancing Careers Through Specialized Database Work

18:50 Developing Organizational Culture and Empowering Influencers

24:02 Maximizing Business Value Through IT Department Management

27:07 Incentivizing Dispersed Teams: Building Unity

28:57 The Importance of Reward and Recognition for Motivation

31:52 Leadership Responsibility in Educating Peers on Risks

37:14 Promoting a Culture of Shared Responsibility in Security Leadership

38:22 Maximizing Appsec Champions: Subscriptions, Ratings, and Discovery

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/in/chris-lindsey-39b3915/
https://www.linkedin.com/company/appsec-hive

In Episode 03 of Secrets of AppSec Champions podcast titled "Compromised: Proactive to Reactive," hosts Chris Lindsey and guest Phil Guimond tackle the critical distinctions between proactive and reactive security strategies. They emphasize the importance of access logging and visibility in detecting compromises early, pointing out how changes in access logs can signal potential threats. They stress the necessity of implementing secure, tamper-proof log storage and discuss automation solutions like the "Have I Been Pwned" API and CAPTCHA to mitigate risks such as account takeovers.

The discussion extends to network security, highlighting the dangers of rushed setups that overlook essential measures like network segmentation and client isolation. They examine the risks associated with flat networks in office environments and how external threats can penetrate poorly segmented Wi-Fi networks. Additionally, the episode covers the significance of managing software dependencies, advocating for regular updates to dependencies and leveraging multiple sources to detect vulnerabilities beyond the National Vulnerability Database (NVD). The utilization of container technologies like Kubernetes and Docker is highlighted for their ability to seamlessly update images and pods, thereby enhancing security.

Finally, Chris and Phil underscore the importance of proper repository management, focusing on active projects and addressing outdated or unused code that poses security risks. Training developers in security practices and involving security professionals who can write code are presented as key strategies for proactive security. Chris and Phil also acknowledge the challenges of finding and retaining skilled security personnel while encouraging the audience to engage with the podcast and provide feedback. Together, they advocate for a balanced approach to security—automating where possible, prioritizing proactive measures, and continuously improving the organization's overall security posture.

Key Topics with Time Stamps
00:00 Password Reuse Across Websites: Detection Methods

06:06 Managing Security Challenges and Password Reuse

08:30 Challenges of Unused Code in Development Projects

10:19 Managing Data Overload with GitHub API

15:33 The Risks of Network Interconnected Cloud Access

17:32 Security Risks of IP Whitelisting in Cloud Hadoop Clusters

20:23 Securing Network Logs from Tampering

24:12 The Impact of NVD Pausing on Vulnerability Detection

26:23 Efficiently Addressing Container Image Vulnerabilities

31:17 The Importance of Developer Training Over Tools

35:43 Tools for High-Level Security Posture Overview

38:13 The Vital Importance of App Security Leaders

Chris Lindsey LinkedIn: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSec Hive LinkedIn: https://www.linkedin.com/company/appsec-hive/