EP 38 — Avalara’s Anthony Ungerman on the Imperative for Security-Minded Organizations

In this episode of the Future of Application Security, Harshil speaks with Anthony Ungerman, VP Product Security at Avalara, a tax software company. They discuss what product security encompasses beyond application security, how the security team at Avalara works with engineers, and how they articulate business value to increase security implementation. They also discuss security automation, approaches for security training, and what’s in store for the future of product security.

Topics discussed:

• The evolution of Anthony’s career as a “lifelong computer junkie,” including how he was introduced to security, and how he learned security by practicing on his kids’ web traffic. 
• How Anthony defines product security, why it’s broader than application security, and what it encompasses.
• How Avalara’s security team works with the engineering team, and how they leverage security champions to implement security initiatives.
• How security-mindedness is expanding, from the boardroom to customers, prompted by data privacy regulation like EU GDPR and the edicts from the White House.
• How to get more security buy-in by being able to explain how initiatives tie back to business objectives.
• A summary of articles Anthony wrote about how to automate application security programs.
• What types of training they’re offering to ramp engineers up on security best practices — and what consequences are in place if they don’t complete training.
• How the future of product security will be shaped by privacy regulations, generative learning, and all-encompassing dashboards.

Guest Quotes: 

“We have over 200 security champions. And my team will work closely with the security champions., and the security champions will help to implement a lot of these security programs. … To me, the most important thing is to work within the process and at the pace of engineering.” (10:42)

“I’ve seen board members who have a security background and they put pressure on the CEO and the entire C-level. They are interested. They are interested in delivering secure solutions. The engineers, the hands on keyboards, the engineers, they also want to build high quality, because everyone wants their work to be solid.” (14:51)

“We need to address the security issues, but we also have to deliver value to the market. … If you’re not delivering value to the market, you’re not going to be in a high growth, highly successful company.” (15:41)

“I always tie it back to the business. Why is it important? Of course, I talk about risk and protecting our reputation and all those things, but it’s the business that really hits them between the eyes.” (18:19)

“Those are tools that are going to take the security data from all these AppSec tools and pull them together into a single pane of glass. … There are going to be tools that create a holistic view for any outstanding app security and it’s going to be easier to identify.” (33:42)