EP 29 — A Conversation on the State of AppSec with Reddit’s Matt Johansen and Semgrep’s Clint Gibler

In this special edition of the Future of Application Security podcast, Harshil speaks with Matt Johansen, Principal Security Architect at Reddit, a community and content-sharing site, and Clint Gibler, Head of Security Research at Semgrep, an open source static analysis tool. Together they discuss how the world of AppSec has changed, including the more widespread adoption of a shift-left mentality, and how more best-in-breed tools are being created for developers today. They also discuss the ways in which you can adopt frameworks and tooling into current workflows,...

In this special edition of the Future of Application Security podcast, Harshil speaks with Matt Johansen, Principal Security Architect at Reddit, a community and content-sharing site, and Clint Gibler, Head of Security Research at Semgrep, an open source static analysis tool. Together they discuss how the world of AppSec has changed, including the more widespread adoption of a shift-left mentality, and how more best-in-breed tools are being created for developers today. They also discuss the ways in which you can adopt frameworks and tooling into current workflows, how to meet developers where they are, and how to incentivize practicing good security habits.

Topics discussed:

• How the world of AppSec has changed, going from a niche part of a security program to something everyone started focusing on, and how the industry has adopted a shift-left mindset while making more tools available for developers.
• How the evolution of frameworks are helping to prevent vulnerabilities and reduce risk, sometimes more so than security tools.
• How best-in-breed tooling is moving from generating tickets to be thrown over the fence, to speaking to developers in the language they know.
• The current state of in-house security expertise, and why security teams still need to lead with prioritization and the value-add of security, yet are beginning to hire team members who can write code.
• How to move security frameworks into the systems developers use everyday — and how do you incentivize developers to adopt those frameworks in the first place.
• The ways in which gamification and public dashboards have helped increase security adoption and reward good behavior.
• Why it's better to focus on and invest in solving the top vulnerabilities and issues than be sidetracked by the "long tail" of thousands of vulnerabilities that will never get touched.