Key Insights from the Industry’s First Ever ASPM Nation Event

That’s a wrap on ASPM Nation! Thanks to our expert line-up of speakers and panelists, we learned how to build a culture of collaboration between developers and security teams, how to measure the success of an AppSec program (at an organization as complex and distributed as Ford, no less!), and the role ASPM plays in aligning the C-Level.

Looking for a recap? We’ve summarized each session to give you the TL;DR version below. But don’t forget… you can still watch the full event on-demand here.

Friction to Fusion: ‘Hacking’ Harmony Between Security & Developers

Kicking off ASPM Nation, Gili Lev (MD of Cyber and Cloud Security at EY), James Berthoty (Security Engineer at PagerDuty) and Tanya Janca (Founder, CEO, and Security Trainer at She Hacks Purple) shared best practice tips on how to build better partnerships between security teams and developers.

The first step according to Tanya? Build empathy. After all, AppSec is a team sport. Developers should learn more about security teams’ goals and KPIs, and vice versa. 

But it’s not just about aligning on goals and outcomes. James recommends security teams fully immerse themselves in developers’ day-to-day processes before introducing new tooling or processes. This way, they understand the actual developer “lift” behind their security ask, solutions fit more seamlessly into existing workflows, and developers are more likely to adopt them.  

Regardless of the specific use case, the panelists all agree that security teams shouldn’t be looking for tools that put more vulnerabilities in front of developers faster. Instead, the right tool will get the right vulnerabilities in front of the right developer, with the right information to remediate problems quickly.

Building a Win-Win AppSec Program for Security and Developer with ASPM

Next up, Itai Marongwe (Product Security Engineer at Okta), Jamie Sadler (Head of AppSec at theScore), and Roxy Tait (Head of AppSec and Pen Testing at a leading Financial Services firm ) talked about how organizations can scale limited AppSec resources for maximum impact given the fact that developers tend to outnumber AppSec professionals 50:1.

The secret, according to the panelists, is a combination of education, collaboration, and tooling that helps both teams improve visibility, prioritization, and remediation. 

When it comes to the division of labor in AppSec, all three panelists agree that developers and security teams must contribute equally, and that the responsibility is split 50/50.

According to Itai, “security professionals drive education, and should be helping developers build and implement security practices. It’s all about enablement”.

Roxy went on to highlight the vital role ASPM plays in building a successful AppSec program, specifically when it comes to aggregating findings, consolidating alerts, and reducing noise for developers. After all, “Navigating through all of these systems is complex, and it’s hard to isolate true risk across so many solutions.” 

Measuring the Success of Your AppSec Program

Curious how Nambi Srinivasan (General Manager – Cybersecurity and DevSecOps at Ford) tracks and measures the success of the AppSec program at an organization as large, complex, and distributed as Ford? Then you don’t want to miss this Q&A.

He discusses the challenges he’s faced when tracking and improving application security at Ford, which metrics he reports to senior leadership, and the value of integrating tools and correlating risk via Application Security Posture Management (ASPM).

When it comes to measuring improvement and progress in application security, Nambi suggests starting with adoption rate, vulnerability remediation rate, and vulnerability density. 

Watch the full session to find out why, discover what he views as the biggest risk to application security right now, and which trends he’s most excited (and concerned about…) in 2024.

Charting Innovation Across Cycode’s Complete ASPM Platform

As discussed throughout ASPM Nation, AppSec is a top priority for both security and business leaders. That means it’s important technical and non-technical stakeholders have a means to view, understand, and interpret risk throughout the SDLC.

In this session, Lotem Guy, VP Product at Cycode, highlights an exciting new feature of Cycode’s Complete ASPM Platform: The Executive Dashboard.

This dashboard visually demonstrates your Application Security Program’s effectiveness, tracking risk emergence, remediation speed, and prevention of future threats. It also helps visualize the success of organizations’ AppSec programs through a centralized view of security insights, prioritized risk, and widespread adoption of secure practices. Think of it as Mission Control for the C-Suite.

Want to learn more about the Executive Dashboard (including RIG-AI, your AI Discovery Assistant) and the rest of Cycode’s Complete ASPM Platform? Book a demo.

The Future of Code: Securing Against Software Supply Chain Attacks

Clint Gibler (Founder of tl;dr sec and Head of Security Research at Semgrep) is the perfect person to offer advice on protecting the software supply chain and explain what we can learn from recent high-profile attacks…and that’s exactly what he did during Session 5 of ASPM Nation.

In terms of how to secure an attack surface that’s growing exponentially, he has two words for you: Ratchet model.

Watch the full recording to learn more.

A CISOs Perspective: Why ASPM is a CEO-Level Solution

Roland Cloutier (Former Global CSO at TikTok, ByteDance, ADP, and EMC) has protected some of the most complex code bases in the world. And he’s learned a lot…

In this in-depth interview, Roland explains:

  • What strategies have helped him innovate and develop applications at speed, without compromising security
  • What keeps CISOs and CEOs up at night
  • The role ASPM plays in unifying the C-Level and driving cyber and business resilience

“I’ve been calling what we do in cybersecurity ‘business operations protection’ for a long time. And that’s because cyber resiliency is a direct and major component of business resiliency,” Roland explained. He continued, “The reality is, the entire value chain of your organization is built on code or technology. It doesn’t matter whether you’re a pizza shop in New York or a major, multinational social media mega company.”

Fortunately, as Roland pointed out, ASPM is a game-changer for organizations hoping to improve cyber resilience, specifically when it comes to software development.

“ASPM is going to change the way we think about developing code and significantly drive up our quality capabilities across our products,” he said.

There you have it! A whistle stop tour of all six sessions from ASPM Nation. Don’t forget you can watch the full virtual event on-demand, or skip through the playlist to watch the Q&A or panel you’re most excited about. 

Want to join us live next time? Sign-up for our newsletter or follow us on LinkedIn to be the first to know about about next event.

Originally published: February 29, 2024