Best of the Brunch: Our Leaders in AppSec Share Their Wisdom
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the Leaders in AppSec panel delivered some real morning magic that will help security specialists build out viable programs within their organizations.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.