Request a demo
Home | Blog | How to Help Developers Find Security Issues That Matter with Stripe’s AppSec Manager Rajat Bhargav
Back
Top posts
Solving the Challenges of Engaging with Developers
What’s Caused the Need for Software Supply Chain Security
The Key to Understanding Security Wherever You Are
The Biggest Challenge to Product Security is Good Partnerships
Back

How to Help Developers Find Security Issues That Matter with Stripe’s AppSec Manager Rajat Bhargav

How do you help developers find what security issues actually matter? On a recent episode of the Future of Application Security, Stripe’s Application Security Manager, Rajat Bhargav shared his views.
Corin
Corin Imai
Published on
read

How do you help developers find what security issues actually matter?

On a recent episode of the Future of Application Security, Stripe’s Application Security Manager, Rajat Bhargav shared his views. Here’s what Rajat advises teams to do: 

“Make it actionable for the developer. Like when an issue shows up for them, give them the full context and give them the full action of what it should be, what they actually need to do. And so it shouldn’t be something like just say cross site scripting, they have to go figure out what cross site scripting is and go search in Google like “how to fix cross site scripting”. Basically tell them how to fix cross site scripting in the context of the company. Like, there might be different functions that you provide. So make it very actionable. Again, it’s easy to say it should be prioritized, but it’s a very challenging thing. Like, how do you prioritize those things? So one of the things that I like is having a flexible program. Start with something and keep on growing on it. Like you don’t have to have the most perfect thing right away. So the thing that we’re trying to do with the prioritization is that we say take a few rules saying that if the service that an issue is found is an external service, or internal service, prioritize it in a different way, right? Or maybe just start with like, is it in a PCI scope or not in a PCI scope, then it’s a high priority. Start with these few rules and start building upon it then, right? The other concept there is also like, is this issue found on a domain that is being attacked by attackers all the time, right? If it is, then it’s a higher priority, than something that attackers don’t really attack that much, right? So that prioritization grows with time, but starts somewhere with the priority so that developers know exactly which ones to tackle first.

Check out Rajat’s full episode here: How Stripe Built a Highly Scalable AppSec Program: https://tromzo.com/podcasts/rajat-bhargava-appsec 

Rate this article

Recent articles

Solving the Challenges of Engaging with Developers

On a recent episode of the Future of Application Security podcast, Chad Girouard, AVP Application Security at LPL Financial, talked about some of the challenges to overcome...

Read more
What’s Caused the Need for Software Supply Chain Security

On a recent episode of the Future of Application Security podcast, Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, explained why the...

Read more

Ready to Scale Your Application Security Program?

Sign up for a personalized one-on-one walkthrough.

Request a demo

[email protected]

Request a demo