Back

EP 28 — Injecting Better Security into Products and Processes with Dremio’s Emre Saglam

read

In this episode of the Future of Application Security, Harshil speaks with Emre Saglam, Head of Security and Compliance at Dremio, a data lakehouse that empowers data engineers and analysts with easy-to-use self-service SQL analytics. They discuss the current state of AppSec, including how to improve security by prioritizing business implications, using frameworks, and having tools “closer to the ground.” They also talk about how to structure security teams, how much time you should spend with product teams, what skills are needed for future success, and more.

Topics discussed:

  • Emre’s career evolution in security, from breaking into mailboxes as a kid growing up in Turkey, to starting a Linux group in the 1990s, to working at places like World Bank and Salesforce before becoming the Head of Security and Compliance at Dremio. 
  • The current challenges of Product Security, including the need for bigger companies to create ways to glue together their disconnections, and why security teams need to prioritize overall business implications and impact.
  • How security is improving through the use of frameworks and tools that are “closer to the ground,” making security easier to scale.
  • Why security teams should adopt strategies like injecting security across each phase of product development, and why security teams should spend more time with the product team.
  • How to structure security teams in terms of which skills to hire, how much time to dedicate to the product side, how to keep up morale and motivation, and how to align teams to create secure products for customers.
  • How security teams can bring attention to areas where they may need more resources, planning, or prioritization, and why alignment with leadership is key.
  • Why curiosity, questioning intention, being firm, having a Plan B, and good communication are skills that security team members must acquire in order to be successful.
  • Why the future of product security will be a better correlation, deduplication, and few false positives, and how AI will contribute to being able to write better code. 

 

Guest Quotes: 

“I think you should definitely spend some of your time with the product teams. And that’s a different world there. It’s not engineering, it’s not business. It’s actually where the recipe for the cook is, there. The cook is the engineering team, but the recipe is there. And that’s where, if you can inject your secure ideas in that recipe, that’s a huge win.” 

“I’ve seen bigger companies that they’re very disconnected and then especially if they were a huge team, the disconnection comes sometimes from tooling, sometimes from the individuals themselves, like the pillars themselves, because it’s a big group of people. I think the good thing to do is create some sort of glue to create interaction. Like somebody needs to know the overall business implications of that bug. How is this going to impact the business or is it going to ever impact the business?” 

“I think the alignment with business is one important thing there. That’s kind of what I’ve learned from a bigger company product security perspective to a smaller company product perspective. Now there will be a time when your security architecture or issue or whatever, that big thing is going to be in the path of selling this. … And then products, business, sales, and then engineering at the end of the day, of course, needs to be all in the same room…and then you got to make that prioritization.” 

“I don’t have a crystal ball, but I can probably tell you right now, with all the developers and the AI, that’s going to help us writing probably better code, right? And it only has probably two impacts. One, the writing side of it. And I think GitHub just released something … they now give you this option to use AI word coding. And then I think the other part is that they’re going to help us find security anti-patterns better. I think there will be two things there for AI.” 

 

Rate this article

Recent articles

Solving the Challenges of Engaging with Developers

On a recent episode of the Future of Application Security podcast, Chad Girouard, AVP Application Security at LPL Financial, talked about some of the challenges to overcome...

Read more
What’s Caused the Need for Software Supply Chain Security

On a recent episode of the Future of Application Security podcast, Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, explained why the...

Read more

Ready to Scale Your Application Security Program?

Sign up for a personalized one-on-one walkthrough.

Request a demo

[email protected]

Request a demo