EP 34 — The Future of AppSec: People, Processes, and Progress with Coalfire’s Warren Kopp

In this episode of the Future of Application Security, Harshil speaks with Warren Kopp, Application Security Consultant at Coalfire. Together they discuss how better application security involves building relationships with the people behind the processes, and why skills like communication, collaboration, and an understanding of psychology are keys to moving forward security initiatives. They also discuss the increasing availability of security training today, how to think more aggressively about security, and why the future of AppSec will focus on expansion.

Topics discussed:

• How Warren “backed into technology” after getting a degree in animation, and his experiences inside an enterprise software company before becoming a consultant with Coalfire.
• Why security isn’t just a technology problem and how you need to find the people behind the processes, get to know their struggles, and compromise in order to build great AppSec initiatives.
• Why one of the key skills any security person can have is communication, and why clearly articulating business impact can help with getting buy-in.
• The need for not just training in hard security skills, but in soft skills like communication and psychology in order to meet people where they are and better understand their needs.
• How to look for opportunities for collaboration in your organization, and why it’s key to talk to others (over the phone or over lunch) and build your network.
• How teams can leverage automation, and why you need to think more aggressively about AppSec in order to open up new opportunities.
• The current state of AppSec, and the growing availability of training and information-sharing through more informal channels like YouTube that can increase impact and reduce struggle. 
• Why the future of application security involves teams being more aggressive, more iterative, and growing quicker.

Top quotes: 

“Security is not just a technological problem. It’s difficult to roll out new technologies. It’s difficult to add things to a lifecycle in terms of what are people executing day to day. But it gets a lot easier if you find the people on the other side of the process, not just the UI designers or the front end guys. What are their struggles and why don’t they want to add more layers to their process? Where can you fit into things in a way that makes sense?” (5:35)

“My advice to every sort of folk I’ve dealt with that is you really just got to find your own opportunities. …  If you know somebody in IT operations who cares about security and you want to go talk about password policies, take them out to lunch, send them a gift card, or get a time on the phone. Whatever it takes to have that personal interaction with them, to say, look, I understand where your problems are. Here are where my problems are. I think together we can do something on the other side.” (20:48)

“We had to learn how to communicate better. And it’s different communicating, ‘We want this scanner to run more effectively,’ than it is, ‘We want to add two factor because we think it’ll drive more business to the company because more of the bigger customers are asking for it.’ There’s a huge communication gap between those two things and they’re both talking about technical problems, but they’re talking about them in very different ways.” (11:13)

“When I started learning how to do application security, it was a lot of, ‘Here’s the next exploit, here’s the next tool,’ all those kinds of things. And we learned it’s making people feel proud of their work in terms of security rather than something they have to tack on or they have to hit a compliance goal. But if you teach folks something to be proud of exists in this, they’ll teach you how they can get better or they’ll ask more questions to get them to the next level.” (15:35)

“After all the COVID lockdowns and things like that and the remote work, folks just don’t want to be hemmed inside that very specific perimeter any longer. They’re used to having that flexibility and what that means to an application. Security lifecycle has to change along with it. Folks can’t just push a version out there and expect it to exist in perpetuity any longer. They have to keep it refreshed.” (29:54)