EP 49 — Colleen Dai on Building Security Strategies and Relationships with Other Teams
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Colleen Dai. They discuss strategies security teams can take to reduce false positives, use secure defaults to eliminate bug classes, and reduce complexity in security decision-making. They also talk about ways to build the relationships between security, developers, and engineers, which includes aligning on goals, communication, and recognition.
- Colleen’s background and what her security research role at Semgrep entails.
- How to use secure defaults to eliminate bug classes and reduce the complexity in security decisions.
- How to reduce false positives by writing rules and checks, especially ones that are customized to your organization.
- How to better align the goals of security and developers by focusing on creating good software — and good software is secure software.
- How to build relationships with engineers through communication and recognition, not just talking through Jira tickets.
- Why security and developers still struggle with cross-site scripting and how it can be fixed.
“I believe a lot in secure defaults, in using secure defaults to eliminate bug classes. And eliminating bug classes is important because we talked about sort of how it can have compounding effects for your AppSec team and also about how you can use these to eliminate the OWASP Top Ten. But essentially using secure defaults can be pretty effective because you’re really just compounding something that might take a long time and a long process into a binary question of, oh, is this person using our secure default or not? And that just becomes an easier question to answer.” (7:13-7:53)
“Focusing on custom rules and making sure that your checks are really dedicated to a specific business logic or to your specific coding practices really helps reduce false positives. Working at Semgreb, what we’ve seen over and over again is that your custom rules are the ones that developers fix.” (9:00)
“Good software is secure software. Developers know this and want to write good software. So if we’re able to make sure that our goals are aligned, that security isn’t blocking developers or blocking feature releases, it really helps move forward the conversation.” (11:16)
“If we want to build good relationships with engineering teams, you have to talk to the engineers. You have to make sure that you have influence on some of the people in the engineering team … and really just make friends with them.” (13:42)
“Instead of this culture of fear and, ‘Oh, you did this wrong’ — instead, we want to have a culture of making sure that people are recognized, that they feel happy when they complete something that’s a security ask.” (14:27)
On a recent episode of the Future of Application Security podcast, Curtis Koenig, Head of Application Security at Gen, talked about how he's able to understand security...Read more
On a recent episode of the Future of Application Security podcast, Arthur Loris, Senior Manager, Product Security at Ping Identity, talked about how the biggest challenge to...Read more