EP 29 — A Conversation on the State of AppSec with Reddit’s Matt Johansen and Semgrep’s Clint Gibler

In this special edition of the Future of Application Security podcast, Harshil speaks with Matt Johansen, Principal Security Architect at Reddit, a community and content-sharing site, and Clint Gibler, Head of Security Research at Semgrep, an open source static analysis tool. Together they discuss how the world of AppSec has changed, including the more widespread adoption of a shift-left mentality, and how more best-in-breed tools are being created for developers today. They also discuss the ways in which you can adopt frameworks and tooling into current workflows, how to meet developers where they are, and how to incentivize practicing good security habits.

Topics discussed:

• How the world of AppSec has changed, going from a niche part of a security program to something everyone started focusing on, and how the industry has adopted a shift-left mindset while making more tools available for developers.
• How the evolution of frameworks are helping to prevent vulnerabilities and reduce risk, sometimes more so than security tools.
• How best-in-breed tooling is moving from generating tickets to be thrown over the fence, to speaking to developers in the language they know.
• The current state of in-house security expertise, and why security teams still need to lead with prioritization and the value-add of security, yet are beginning to hire team members who can write code.
• How to move security frameworks into the systems developers use everyday — and how do you incentivize developers to adopt those frameworks in the first place.
• The ways in which gamification and public dashboards have helped increase security adoption and reward good behavior.
• Why it’s better to focus on and invest in solving the top vulnerabilities and issues than be sidetracked by the “long tail” of thousands of vulnerabilities that will never get touched.

Guest Quotes: 

“We’ve clamored as an industry to ‘shift left’ and do all this stuff more in line with developers instead of trying to scan everything once it’s already live, and how expensive that is, and how hard it is to fix things at that breadth. I think we’ve relatively been successful in a lot of ways at actually shifting the whole industry further to the left, because we have been yelling about it long enough. So a lot of tools that are coming out these days that are best-in-breed in AppSec are geared towards developers, instead of geared towards security team.” Matt (4:42)

“The evolution and improvement of web frameworks that, as Matt said, say handle CSIRT by default, output and code by default, object relational mappers or ORMs that make it difficult to do SQL injection — I think that those libraries getting better has probably net both prevented more security vulnerabilities and just overall reduced the risk to applications, probably more than security tools that have been built. If I had to say I can only have one thing, either all the SAST and DAST tools we have today, or really, really amazing frameworks, like I would probably choose frameworks if I had to.” Clint (8:24)

“Going back 5, 10 years at least, it’s getting more and more popular that security teams are hiring developers more than they’re hiring security people. Okay, yeah, security engineer was the job title for a while, but like, big, big S-security, little e-engineer. And now we’re seeing the trend towards — No, I need people that can write code on the security team, so that they can pull their weight and not just throw things over the walls to the developers.” Matt (17:34)

“To what Matt was saying about, how do you move into existing developer workflows and systems. If you think about it — this is not even necessarily specific to security, this is just good UX or UI stuff in general — if a group of people already have a normal way they do a thing, how can you put whatever you want them to do within that thing? So if you’re normally using, say, GitHub actions for CI/CD and reviewing code in GitHub, like how do we provide the security or other feedback within those existing systems?” Clint (19:59)