EP 39 — A Modernized and Scalable Approach to Product Security with Origami Risk’s Prajakta Badhe

In this episode of the Future of Application Security, Harshil speaks with Prajakta Badhe, Manager of Product Security at Origami Risk, which provides risk software to the insurance industry. They discuss how product security is different from application security, the ways in which Prajakta evaluates a product’s risk, and why she always gives context as to why a vulnerability needs remediation. They also discuss the security culture at Origami Risk, three steps for building a robust security program, and where AI will fit into product security’s future.

Topics discussed:

• The evolution of Prajakta’s career, starting as a quality assurance engineer, then leading a team of pen testers at Norton, to now leading product security at Origami Risk.
• The difference between product and application, and how they are “two different pillars” of security.
• What skills, background, and knowledge Prajakta looks for when hiring for product security.
• The two things Prajakta looks at when evaluating a product’s risk, and the ways in which to prioritize that risk.
• Why Prajakta creates a list of the organization’s unique top ten risks and how she uses that list for training purposes. 
• How to create more meaningful training for developers. 
• Three steps for building a security program, including establishing a baseline, creating ways to scale, and modernizing as you go.
• The reasons why Origami Risk has a strong security culture, and why that’s a benefit to all.
• What the future of product security holds, including the benefits and challenges of integrating AI-powered tools.

Guest Quotes: 

“That’s the biggest learning point for us. Once the product is deployed, how is it being used and exploited actually in the wild is where we will learn from. Did I do my due diligence in the architecture review phase for me to avoid that type of incident?” (11:34)

“I want to give them that context, that ‘why.’ Why did I arrive at that CVSS score and what business context I added on top of the CVSS score before I said, hey, this is a critical vulnerability getting into our way, go fix it.” (16:06)

“Scaling is a challenge, to be honest, in general in security. … The resources are always a challenge. You cannot scale with the number of resources. So then you become smarter and then you then prioritize.” (16:45)

“Give them some starting points, as I usually tell my team. It doesn’t have to be the exact or accurate solution. Give them some starting point. Make it a phase-wise remediation plan so it’s not overwhelming for the team, but take it from place A to place B and let them know how to get there.” (22:44)

“How can I be proactive using artificial intelligence? I think that’s where I’m excited and see the future going. Can I bring that artificial intelligence early on in my cycle? Maybe even in the planning phase or design phase or even architecture phase?” (29:04)