EP 54 — LPL Financial’s Chad Girouard on Improving Application Security Through Better Tools and Relationships

In this episode of the Future of Application Security, Harshil speaks with Chad Girouard, AVP Application Security at LPL Financial, a provider of investment and business solutions. They discuss how security teams can better engage with developers, and how they can encourage secure coding through scanning tools and security champion programs. They also talk about how to manage the “results deluge” with single-pane-of-glass tools, how AI can help with more meaningful reporting, and why security buy-in is a team effort.

Topics discussed:

• How to manage the various challenges of application security: competing tools, relationships, maturity, and more.
• How to bridge the different priorities of security teams and developers.
• How to encourage more secure coding by shifting left and developing a security champions program.
• Why leading and implementing security buy-in and processes is a team effort across the organization.
• How to manage today’s “results deluge” with single-pane-of-glass tools and more meaningful reporting.
• How AI can help discern real findings from all the information that a security team collects.

Guest Quotes: 

“Application security is hard, right? It’s not an easy process where you just sort of throw together a few tools and a team and everything just works. There’s a lot of challenges involved, there’s a lot of moving pieces, there’s a lot of competing tools. There tends to be challenges in relationships if you have an infosec team that’s outside of a development team. So, yeah, there’s definitely a lot that goes into it.” 

“One of the biggest challenges we face now is engagement with the development teams, getting them to care more about releasing secure code in the first place and not having to go back and fix these things later.” 

“The best way to catch those things is to catch them as early as possible. So if you can, use tools that bake your scanning into the process while developers are coding.”

“It takes a few different people to get the buy-in, because a lot of times you’re going to need someone at a higher level to communicate over and get that message to flow down into the teams.”  

“One of the ways I’d love to see AI help us in the future is cutting through some of the noise, discerning what are real findings based on all of the information that we have at our disposal.”

Listen to more episodes: 

Listen on Apple 

Listen on Spotify

RELATED RESOURCE:

Today, most application security tools are designed to find vulnerabilities, not fix them. What is noise and what is risk? And, more importantly, how do you accelerate the remediation of the most critical vulnerabilities?

The answer lies within one key metric — Mean Time to Remediate (MTTR).

Taking a better strategy to decrease your MTTR and keep your organization safe can begin today — download the paper to learn how.