EP 28 — Injecting Better Security into Products and Processes with Dremio’s Emre Saglam
In this episode of the Future of Application Security, Harshil speaks with Emre Saglam, Head of Security and Compliance at Dremio, a data lakehouse that empowers data engineers and analysts with easy-to-use self-service SQL analytics. They discuss the current state of AppSec, including how to improve security by prioritizing business implications, using frameworks, and having tools “closer to the ground.” They also talk about how to structure security teams, how much time you should spend with product teams, what skills are needed for future success, and more.
- Emre’s career evolution in security, from breaking into mailboxes as a kid growing up in Turkey, to starting a Linux group in the 1990s, to working at places like World Bank and Salesforce before becoming the Head of Security and Compliance at Dremio.
- The current challenges of Product Security, including the need for bigger companies to create ways to glue together their disconnections, and why security teams need to prioritize overall business implications and impact.
- How security is improving through the use of frameworks and tools that are “closer to the ground,” making security easier to scale.
- Why security teams should adopt strategies like injecting security across each phase of product development, and why security teams should spend more time with the product team.
- How to structure security teams in terms of which skills to hire, how much time to dedicate to the product side, how to keep up morale and motivation, and how to align teams to create secure products for customers.
- How security teams can bring attention to areas where they may need more resources, planning, or prioritization, and why alignment with leadership is key.
- Why curiosity, questioning intention, being firm, having a Plan B, and good communication are skills that security team members must acquire in order to be successful.
- Why the future of product security will be a better correlation, deduplication, and few false positives, and how AI will contribute to being able to write better code.
“I think you should definitely spend some of your time with the product teams. And that’s a different world there. It’s not engineering, it’s not business. It’s actually where the recipe for the cook is, there. The cook is the engineering team, but the recipe is there. And that’s where, if you can inject your secure ideas in that recipe, that’s a huge win.”
“I’ve seen bigger companies that they’re very disconnected and then especially if they were a huge team, the disconnection comes sometimes from tooling, sometimes from the individuals themselves, like the pillars themselves, because it’s a big group of people. I think the good thing to do is create some sort of glue to create interaction. Like somebody needs to know the overall business implications of that bug. How is this going to impact the business or is it going to ever impact the business?”
“I think the alignment with business is one important thing there. That’s kind of what I’ve learned from a bigger company product security perspective to a smaller company product perspective. Now there will be a time when your security architecture or issue or whatever, that big thing is going to be in the path of selling this. … And then products, business, sales, and then engineering at the end of the day, of course, needs to be all in the same room…and then you got to make that prioritization.”
“I don’t have a crystal ball, but I can probably tell you right now, with all the developers and the AI, that’s going to help us writing probably better code, right? And it only has probably two impacts. One, the writing side of it. And I think GitHub just released something … they now give you this option to use AI word coding. And then I think the other part is that they’re going to help us find security anti-patterns better. I think there will be two things there for AI.”
In case you missed it, in May Gartner released its Innovation Insight for Application Security Posture Management (ASPM). What is an ASPM you ask?Read more
On a recent episode of the Future of Application Security podcast, Emre Saglam, Head of Security and Compliance at Dremio, listed three skills every security team member...Read more
Ready to Scale Your Product Security Program?
Sign up for a personalized one-on-one walkthrough.