EP 60 – Appian’s Abdullah Munawar on Enhancing Product Security Amid Evolving Development Trends

In this episode of the Future of Application Security podcast, Harshil speaks with Abdullah Munawar, Director of Product Security at Appian. Abdullah shares valuable insights into his journey from security assessments and consulting to leading product security efforts, discussing the evolving challenges and strategies for building effective security programs in modern development environments.

He discussed the importance of evolving security practices beyond identification to implementation within organizations, including the need for a holistic approach to product security and focusing on high-priority vulnerabilities. Abdullah also explains the challenges of maintaining data quality in AI companies.

Topics discussed:

• The transition from consulting to in-house product security and the importance of hands-on experience in understanding the challenges of implementing security fixes and mechanisms.
• Defining the scope of product security in the context of decentralized development practices and the shift towards “you build it, you manage it” approaches.
• The changing role and structure of product security teams to address the full stack of security concerns, from architecture and automation to traditional AppSec tasks.
• Strategies for driving remediation and adoption of security practices, including leadership buy-in, targeted automation, and empathy-building initiatives like security champion programs.
• Emerging challenges in product security related to AI and data management, such as data poisoning, segregation, and unintended leakage.

Guest Quotes:

“You don’t know how difficult implementing some kind of security mechanism is until you’re sitting there side by side with a dev team and attempting to walk them through or working with them to implement something, it’s very humbling. It’s very challenging. And so I felt like I wanted that, that challenge in my career, and I’m really enjoying it so far.”

“So when we talk about, or at least in my opinion, when we talk about product security, I feel like it’s a bit more of a holistic term than just at that web application layer where you really are looking at the full stack of what’s being deployed and managed.”

“You really need to be feature focused. And in those different areas of concentration, you really want to grow it up to potentially have it be multiple teams within even the same program where you have an architecture team or a cloud-native architecture team that’s driving threat modeling and architecture reviews and architecture secure architecture by default.”

“I always recommend for organizations like as a security professional, speak with your manager, go be a developer for a couple of sprints. You’re going to understand empathy in a way that you’ve never understood before.”

“If that data is able to be tainted, manipulated, poisoned in some way, you’re going to get a negative result. You’re going to get a result that you don’t really want or unintended. From a security standpoint, that’s a big concern.”

Listen to more episodes: 

Listen on Apple

Listen on Spotify