EP 59 — Nat Mokry on Advancing Application Security in the Gaming Industry

In our latest episode of the Future of Application Security podcast, Nat Mokry, VP of Application & Product Security at Xbox (formerly of Activision Blizzard at the time of recording), shares valuable insights into the world of application security, from the mission of defending player trust to emphasizing the importance of technical skills in cybersecurity. 

Nat provides guidance on building effective security teams and navigating the evolving challenges in the industry.

Topics discussed:

• Earning and defending player trust as a guiding principle of business and strategies for making mission statements actionable.
• Building and structuring a diverse security team, and the challenges faced by appsec teams in the current landscape.
• The concept of the “piggy bank of trust” in security relationships that Nat says helps him and his team remember that people skills are important too.
• Balancing technical expertise and security knowledge, depending on what your data is telling you. 
• Having the humility to ask questions and not have all the answers.
• The difference between solving problems for people and minimizing the chances of them doing something wrong. 

Guest Quotes: 

“I always think that your data needs to be your driver, right? So if you’re getting popped all the time, you’re probably not aware of your tech debt, you’re probably not aware of your attack surface, and you probably should be spending a lot of time there.” 

“We spend a lot of time on, who are we? Like, what is our calling? What is our mission at the end of the day? And what we see ourselves as the defenders of player trust. Right? So the company is all about delivering epic online entertainment experiences, whether that be Call of Duty, World of Warcraft, Diablo, Candy Crush.” 

“We always talk about is that as long as you’re operating in the realm of 180 degrees of goodness, because there’s 180 degrees of wrongness that are this way, but the 180 degrees of goodness is if you’re doing something that’s enhancing player trust, you’re doing good stuff for the company, and we’re going to naturally see the benefits of that.”

“I think it starts with going through and having a real serious baselining discussion around what the capabilities in the organization are from the standpoint of developing secure software. But at the same time, while you’re balancing some of those needs, improving where you are and having an honest discussion with leadership of where you are, you need to solve real problems that the development community is having.” 

“We all talk about the 100 to 1 savings that you get by shifting left and finding bugs earlier in the development lifecycle that IBM put out there. There is no research on this. It’s been debunked that nobody ever did this research to say that these security exposures are magically solved by doing threat modeling or training.” 

Listen to more episodes: 

Listen on Apple 

Listen on Spotify