EP 44 — Workrise’s Tim Kelly on How to Build a Data-Driven Application Security Program

In this episode of the Future of Application Security, Harshil speaks with Tim Kelly, Director, Security Engineering at Workrise, a technology company with a platform that supports the energy workforce. They discuss the importance of collecting, storing, and analyzing data in order to enhance application security efforts, and how to go about building a data program that does that. They also discuss the ways in which you can use data to inform your security efforts, how to use data to help you inventory and prioritize vulnerability management, how to get to a 100% success rate with data-backed solutions, and what the future of data-driven application security will look like.

Topics discussed:

• How Tim’s background in experimental psychology and data analytics informs his work as the Director of Security Engineering.
• The definition of data engineering and how the practice can apply to application security.
• Why data is important for security and how a big part of collecting and analyzing data for its insights is because “you can’t secure what you can’t see.”
• How to play into your strengths when building a data program by looking at your current capabilities, including leveraging a business insights team.
• How you can use data to determine the efficiency of your vulnerability management program, how to monitor performance, and how to find out where your efforts are producing the most value.
• The benefits of using data to inform your security approach, and how to get to 100% success rates with fixes by doing so.
• What the future of application security will look like and how teams can integrate more data analysis practices.

Guest Quotes: 

“Your data lake is going to be your ability to correlate and pull disparate data sources in together to start to build a story. My approach was just go start looking at the data. What sort of insights can you see? It becomes a very creative approach from an analyst perspective.” (7:44)

“Most organizations these days are going to be using some form of data warehouse. So start there, see what do you already have and how can you play to your strengths and then what are some of the tools and systems that you can get that can easily plug in?” (10:59)

“You’ve got to be able to see patterns and think about that within a security context of, What is it that I’m looking for? What are the risks that I’m trying to prevent? And then how do I build a system that’s easy and has very low signal to noise ratio?” (12:08)

“In any detection response program, there’s a massive amount of noise and you need to be very conscious of your signal to noise ratio and make sure that you’re looking at the things you really think are most important and actionable and you’re measuring that.” (13:19)

“When we start looking at the data and we start looking at anomalous behavior… We correlate that with the data that we have to then determine, okay, if we’re going to secure the SDLC, what is the most important thing that we look at?” (20:24)