EP 58 — Asana’s Felix Matenaar on Building Resilient Security Practices for the Future

In this episode of the Future of Application Security podcast, Harshil interviews Felix Matenaar, Head of Product Security at Asana. Felix shares insights into his journey from Germany to Silicon Valley, where he transitioned from mobile security to leading Asana’s product security efforts.

The conversation highlights Felix’s experience in creating security frameworks that eliminate vulnerabilities by building secure product lifecycles and ensuring alignment with business objectives. His approach integrates rigorous security measures directly into the development process, reflecting Asana’s commitment to robust, proactive security.

Topics Discussed:

• Felix discusses his transition from software engineering to product security and his strategic move from Google to Asana.
• Strategies for integrating security seamlessly into product development to enhance safety without compromising functionality.
• How robust security measures can speed up business processes and build trust with users.
• The importance of collaboration across different organizational functions to ensure comprehensive security coverage.
• The role of leadership in fostering a security-centric culture within tech companies.
• Insights into upcoming challenges and innovations in the field of application security.

Guest Quotes: 

“The mission is ultimately to eliminate entire classes of vulnerabilities. And that happens through frameworks, guardrails, features that we build into the critical path of serving the user. And the other area of the team is called strategy and assurance. And that’s where we really sort of focus on the software development lifecycle and make sure we ship a secure product. We remediate vulnerabilities, we evaluate risks appropriately, we align with the business.”

“When there’s a well-understood layer of abstraction, whenever you build around those layers of abstractions, you get an adoption problem, right? And so the most transparent security solutions are the ones that basically adhere to existing developer abstractions.”

“I have seen guardrails very effective when they’re built around areas where the company already is using existing frameworks like either has built their own frameworks or your augmenting frameworks.”

“You have to have empathy for your customers and think about the various personas in your customers. On the other hand, just the other way of looking at it is also that as a security leader, in a lot of cases, it’s our job to help manage the risk at the end of the day, and the customer might not understand that it’s their responsibility as well.”

“As a product security team,we see a lot of leverage and making material improvements to the access control framework in order to eliminate certain types of vulnerabilities and then not having to worry about them in security reviews as much.”

Listen to more episodes: 

Listen on Apple

Listen on Spotify