How to Help Developers Find Security Issues That Matter with Stripe’s AppSec Manager Rajat Bhargav
How do you help developers find what security issues actually matter?
On a recent episode of the Future of Application Security, Stripe’s Application Security Manager, Rajat Bhargav shared his views. Here’s what Rajat advises teams to do:
“Make it actionable for the developer. Like when an issue shows up for them, give them the full context and give them the full action of what it should be, what they actually need to do. And so it shouldn’t be something like just say cross site scripting, they have to go figure out what cross site scripting is and go search in Google like “how to fix cross site scripting”. Basically tell them how to fix cross site scripting in the context of the company. Like, there might be different functions that you provide. So make it very actionable. Again, it’s easy to say it should be prioritized, but it’s a very challenging thing. Like, how do you prioritize those things? So one of the things that I like is having a flexible program. Start with something and keep on growing on it. Like you don’t have to have the most perfect thing right away. So the thing that we’re trying to do with the prioritization is that we say take a few rules saying that if the service that an issue is found is an external service, or internal service, prioritize it in a different way, right? Or maybe just start with like, is it in a PCI scope or not in a PCI scope, then it’s a high priority. Start with these few rules and start building upon it then, right? The other concept there is also like, is this issue found on a domain that is being attacked by attackers all the time, right? If it is, then it’s a higher priority, than something that attackers don’t really attack that much, right? So that prioritization grows with time, but starts somewhere with the priority so that developers know exactly which ones to tackle first.
Check out Rajat’s full episode here: How Stripe Built a Highly Scalable AppSec Program: https://tromzo.com/podcasts/rajat-bhargava-appsec
The past two weeks have been amazing for Tromzo. First we were named as an Application Security Posture Management (ASPM) Sample Vendor in Gartner's Hype Cycle for...Read more