EP 36 — Highspot’s Joe Basirico on How to Build Security by Building Trust

In this episode of the Future of Application Security, Harshil speaks with Joe Basirico, Senior Director of Product Security at Highspot, a sales enablement platform. They discuss how product security’s evolution has increased its focus on relationships and trust-building, why security is like fixing a leaky faucet, and how to prioritize for more efficiency and impact. They also discuss where product security is going and how AI will help it get there, the elements for security at scale, and how to better collaborate with developers.

Topics discussed:

• Why Joe “fell in love with security” and how his career evolved from developer to pen test to trainer, back to developer, and now to leader of a product security team.
• How product security has shifted to building trust and relationships among teams and customers — and why you should hire for hard and soft skills like empathy.
• Why security is like a leaky faucet, and why you should turn off the tap — or, fix the influx of vulnerabilities — before you spend time cleaning up the mess.
• How to prioritize what to focus on first, and why execution trumps prioritization when it comes to getting stuff done.
• What Joe does to make developers more successful through collaboration and solving problems together.
• The three elements Joe considers key for security at scale: awareness, enablement, and detection.
• The ways in which Joe and the security team distribute knowledge across the organization, including “hijacking October” for talks during Cybersecurity Awareness Month.
• What the future of product security will look like, and how AI tools will play a role in shaping it.

Guest Quotes: 

1. “A big change in the last few years has been a focus on relationships and a focus on trust as a cornerstone of security. So when I think about security, we actually frame that as trust more than security.” (4:05)
2. “You have to take that same analogy with software security. … Once we stop and turn off those taps, then we can go and clean up everywhere else. That’s hard because traditionally, we come from a culture of, ‘find a vulnerability, fix a vulnerability.’ But in reality we need to think about those themes across the entire product.” (11:21)
3. “Security enablement is all about helping developers go fast. … Every time, I want them to be able to make good security decisions with either the tooling that they have at their fingertips, good defaults and good libraries, good frameworks, and things like that.” (23:08)
4. “If we had a magic wand, what would we do in order to have the biggest impact in security? And a lot of that was around secure defaults and secure libraries and frameworks. And it’s great to see that coming to fruition.” (31:06)
5. “An attacker doesn’t care if that vulnerability is in your base image or in a library or in the code you wrote. They’re going to exploit it in the same way. And so we need to think about that more holistically.” (7:32)