Best of the Brunch: Our Leaders in AppSec Share Their Wisdom
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the Leaders in AppSec panel delivered some real morning magic that will help security specialists build out viable programs within their organizations.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.
Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.
Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.
We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?
- Vincent Gilbert, CISO, Societe Generale
- C̩dric Levy-B̩ncheton, CEO, Cetome
- Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
- Lee Thurlow, Global AppSec Director, Pearson
- Lewis Bramfitt, Managing Director, Bramfitt Lab.
Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).
Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:
"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.
You can watch the full panel right now:
For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.
Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.
Closing the AppSec Error Loop
As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.
And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:
An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.
Slowly, but surely, we're getting there.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.