We sat down with the top leaders shaping the industry through Product Security, to find out what they’ve learnt from decades of securing the software the world depends on.
Software engineer-turned-dark-side AppSec Engineer with a deep passion for both coding & security - he’s also Co-Leader of OWASP SPVS. He firmly believes that "Truth Is in the Code," if you cannot find the truth there, open a terminal & hack it with unrelenting curiosity & determination.
Product Security is often perceived as a straightforward task, but it involves a detailed process that requires careful execution. The tasks include determining what to scan and secure, as well as…
Aashna has expertise in cloud security, infrastructure protection, risk management, & security operations. She combines her technical expertise with a strategic approach to secure organizations & their digital assets. She’s passionate about empowering women in technology and is involved in ISACA Vancouver & served on its Board as Director of the SheLeadsTech initiative.
A common misconception about Product Security is that it can be added later, often just before release or after launch. However, security should be embedded…
Rahil Arora has over a decade of experience in building and scaling robust Product Security programs at companies such as Palo Alto Networks, Flexport, and TRM Labs. He’s also been an advisor to some early stage security start-ups. Currently, he’s working at Meta as a Security Engineer.
That Product Security is purely a technical problem solved by just tools and specialists. In reality, security is all about context. Solving any problem in the field requires a holistic, risk-based approach. The…
With a background in software engineering prior to security, he’s earned 5 GIAC certifications for pen-testing. He’s recognized by Apple for identifying & disclosing a vulnerability in macOS & excels in collaborating with software engineers to understand vulnerabilities.
I think there's a misconception -- that actually might be a barrier to entry -- that you have to know everything. But cybersecurity, even more the niche field of Product Security, is just vast. You're bound to…
Nikola established the global Product Security Office to enhance secure practices across a workforce of over 500 engineers, supporting multiple high-risk profile products across three different R&D regions. He also holds a PhD in the security of multi-tenant systems, has published 10+ scientific papers, & served as a professor at the University of Novi Sad, Serbia.
The biggest misconception I’ve realized over the years is that people tend to assume that whatever was designed is exactly how it functions in the operations phase of the product…
At GitLab, Julie enables critical infrastructure software factories to develop secure software faster. Her career has spanned from US Army service to NASA, where she helped implement the first federal AWS migration. Julie built early AWS integrations at Ansible, grew a multi-million dollar consulting practice at RedHat, co-founded the email security startup ZibaSec, and led global field CTO teams at Sophos.
One that comes to mind, especially as I talk with friends in the industry or people who are new to Product Security, is that there tends to be an over-focus on tooling…
A seasoned leader in Information & Application Security, with expertise spanning application security, security operations, vulnerability management, and cloud security and has successfully established and managed application and Product Security programs.
Based on my experience, it’s mostly the idea that security is there to say no. I think that’s the biggest misconception, and there are probably legitimate reasons why people have that expectation. Security has…
Jean-Yves pursued a career in software testing, which branched into the Application Security domain nearly 10 years ago. Ever since, Jean-Yves has been aiming at helping development teams mature their security posture.
This is a strong opinion of mine, but I actually feel that the very existence of Product Security is an anti-pattern. In an ideal world—without constraints like time, people, money, or resources—security…
Seasoned cybersecurity leader with 20+ years experience in product & infrastructure security across both private industry & federal agencies. He specializes in integrating security architecture, threat modeling, & compliance frameworks to build secure-by-design solutions. He’s also a recognized thought leader who has presented at major technology conferences including RSA and VMWorld.
Product Security has long been correlated with Application Security. But in the SaaS/PaaS world, our products have matured beyond the point where a strong AppSec program is enough…
Brian helps companies ship secure software that customers trust without putting developers on defense. With his world-class team, he’s built a secure software development framework that underpins millions of secure deployments worldwide at Elastic. He speaks at OWASP AppSec, BSIMM, & other security communities, and enjoys mentoring the next generation of security engineers who want to build with care and ship with confidence.
A lot of people think Product Security is just about compliance…that it’s about checking boxes and passing an audit. But Product Security is not just about preventing breaches, and compliance is…
Steven’s been tinkering with tech his whole life (building terrible Angelfire & GeoCities websites as a kid) and has been in technology for 10 years. After roles in IT and Engineering, and a Masters in Cybersecurity he’s now leading the Application & Infrastructure Security program at BankUnited.
A common misconception is that Product Security is just application security rebranded. I've also heard that it's AppSec when the "product" being worked on isn't an application. I think both of these perceptions are incorrect…
Distinguished leader in cybersecurity, compliance, and product certification, with 15+ years shaping industry standards & driving security excellence. Recognized as a thought leader in the field, Kevin has built and led high-performing teams, transforming security processes to stay ahead of regulatory and technological shifts.
It's getting better, but compliance doesn’t equal security. A lot of the time, you go to a team and say, “You need to meet this certification or standard and adopt this SDLC practice,” and they go, “Okay…
Kelly manages secure development practices across RingCentral’s product portfolio. She previously worked at IBM for 18 years across R&D for System Z, Power Systems, & IBM Security, where she published 40 patents in microelectronic development and identity management.
The biggest misconception people have about Product Security is that it’s equivalent to the secure software development lifecycle (SSDLC). Product Security is broader in scope, and aligns with product…
Seasoned cybersecurity executive with a robust background in infrastructure, platform engineering & Product Security leadership. He’s held pivotal security roles at prominent technology companies, including Instacart, Amplitude, Netflix, Salesforce, and Yahoo!.
Product Security isn’t just an engineering problem—it’s not something you bolt on at the end with tools and testing. That thinking is outdated and dangerous. Product Security goes beyond securing an application…
Jyoti is responsible for securing product end-to-end, and is involved in various phases of the security lifecycle. She’s the author of the Phishing Simulation Assessment and MPT tools, and has presented at Defcon, BlackHat, Nullcon, HITB, OWASP NZ and Infosec Girls & heads OWASP Pune chapter.
The cultural perception of Product Security often needs a shift. Rather than being seen as roadblock or a mere checkbox, Product Security should be viewed as an enabler of business growth and innovation. Product Security's ultimate goal is…
An experienced Information Security leader with a track record of guiding security teams and programs across Asia, Europe, & North America. She enjoys taking on the challenge of "making friends" with SDEs, driving lean and effective AppSec solution-ing & ensuring security isn’t just a checklist exercise.
A common misconception is that Product Security is solely the responsibility of dedicated security teams. In reality, engineers across various domains—such as software development…
Michael has served in a variety of roles in offensive and defensive cybersecurity throughout his career, and is passionate about ensuring people who rely on medical devices can expect these devices to be secure.
The biggest misconception is that the main role of Product Security teams is to say “no” to new ideas and initiatives. In reality, their primary function is to enable secure product launches by providing clear…
Brad is Product Security officer for one of the world's largest manufacturers of connected medical devices. He’s an advocate for better national security policy & works to help political leaders understand how they can make America's digital infrastructure more secure.
Cybersecurity teams are part of a larger conflict happening at the geopolitical scale. Adversaries today are very likely to be nation-state actors acting in the diplomatic and political interests of their…
Software engineer-turned-dark-side AppSec Engineer with a deep passion for both coding & security - he’s also Co-Leader of OWASP SPVS. He firmly believes that "Truth Is in the Code," if you cannot find the truth there, open a terminal & hack it with unrelenting curiosity & determination.
Product Security is often perceived as a straightforward task, but it involves a detailed process that requires careful execution. The tasks include determining what to scan and secure, as well as…
Aashna has expertise in cloud security, infrastructure protection, risk management, & security operations. She combines her technical expertise with a strategic approach to secure organizations & their digital assets. She’s passionate about empowering women in technology and is involved in ISACA Vancouver & served on its Board as Director of the SheLeadsTech initiative.
A common misconception about Product Security is that it can be added later, often just before release or after launch. However, security should be embedded…
Rahil Arora has over a decade of experience in building and scaling robust Product Security programs at companies such as Palo Alto Networks, Flexport, and TRM Labs. He’s also been an advisor to some early stage security start-ups. Currently, he’s working at Meta as a Security Engineer.
That Product Security is purely a technical problem solved by just tools and specialists. In reality, security is all about context. Solving any problem in the field requires a holistic, risk-based approach. The…
With a background in software engineering prior to security, he’s earned 5 GIAC certifications for pen-testing. He’s recognized by Apple for identifying & disclosing a vulnerability in macOS & excels in collaborating with software engineers to understand vulnerabilities.
I think there's a misconception -- that actually might be a barrier to entry -- that you have to know everything. But cybersecurity, even more the niche field of Product Security, is just vast. You're bound to…
Nikola established the global Product Security Office to enhance secure practices across a workforce of over 500 engineers, supporting multiple high-risk profile products across three different R&D regions. He also holds a PhD in the security of multi-tenant systems, has published 10+ scientific papers, & served as a professor at the University of Novi Sad, Serbia.
The biggest misconception I’ve realized over the years is that people tend to assume that whatever was designed is exactly how it functions in the operations phase of the product…
At GitLab, Julie enables critical infrastructure software factories to develop secure software faster. Her career has spanned from US Army service to NASA, where she helped implement the first federal AWS migration. Julie built early AWS integrations at Ansible, grew a multi-million dollar consulting practice at RedHat, co-founded the email security startup ZibaSec, and led global field CTO teams at Sophos.
One that comes to mind, especially as I talk with friends in the industry or people who are new to Product Security, is that there tends to be an over-focus on tooling…
A seasoned leader in Information & Application Security, with expertise spanning application security, security operations, vulnerability management, and cloud security and has successfully established and managed application and Product Security programs.
Based on my experience, it’s mostly the idea that security is there to say no. I think that’s the biggest misconception, and there are probably legitimate reasons why people have that expectation. Security has…
Jean-Yves pursued a career in software testing, which branched into the Application Security domain nearly 10 years ago. Ever since, Jean-Yves has been aiming at helping development teams mature their security posture.
This is a strong opinion of mine, but I actually feel that the very existence of Product Security is an anti-pattern. In an ideal world—without constraints like time, people, money, or resources—security…
Seasoned cybersecurity leader with 20+ years experience in product & infrastructure security across both private industry & federal agencies. He specializes in integrating security architecture, threat modeling, & compliance frameworks to build secure-by-design solutions. He’s also a recognized thought leader who has presented at major technology conferences including RSA and VMWorld.
Product Security has long been correlated with Application Security. But in the SaaS/PaaS world, our products have matured beyond the point where a strong AppSec program is enough…
Brian helps companies ship secure software that customers trust without putting developers on defense. With his world-class team, he’s built a secure software development framework that underpins millions of secure deployments worldwide at Elastic. He speaks at OWASP AppSec, BSIMM, & other security communities, and enjoys mentoring the next generation of security engineers who want to build with care and ship with confidence.
A lot of people think Product Security is just about compliance…that it’s about checking boxes and passing an audit. But Product Security is not just about preventing breaches, and compliance is…
Steven’s been tinkering with tech his whole life (building terrible Angelfire & GeoCities websites as a kid) and has been in technology for 10 years. After roles in IT and Engineering, and a Masters in Cybersecurity he’s now leading the Application & Infrastructure Security program at BankUnited.
A common misconception is that Product Security is just application security rebranded. I've also heard that it's AppSec when the "product" being worked on isn't an application. I think both of these perceptions are incorrect…
Distinguished leader in cybersecurity, compliance, and product certification, with 15+ years shaping industry standards & driving security excellence. Recognized as a thought leader in the field, Kevin has built and led high-performing teams, transforming security processes to stay ahead of regulatory and technological shifts.
It's getting better, but compliance doesn’t equal security. A lot of the time, you go to a team and say, “You need to meet this certification or standard and adopt this SDLC practice,” and they go, “Okay…
Kelly manages secure development practices across RingCentral’s product portfolio. She previously worked at IBM for 18 years across R&D for System Z, Power Systems, & IBM Security, where she published 40 patents in microelectronic development and identity management.
The biggest misconception people have about Product Security is that it’s equivalent to the secure software development lifecycle (SSDLC). Product Security is broader in scope, and aligns with product…
Seasoned cybersecurity executive with a robust background in infrastructure, platform engineering & Product Security leadership. He’s held pivotal security roles at prominent technology companies, including Instacart, Amplitude, Netflix, Salesforce, and Yahoo!.
Product Security isn’t just an engineering problem—it’s not something you bolt on at the end with tools and testing. That thinking is outdated and dangerous. Product Security goes beyond securing an application…
Jyoti is responsible for securing product end-to-end, and is involved in various phases of the security lifecycle. She’s the author of the Phishing Simulation Assessment and MPT tools, and has presented at Defcon, BlackHat, Nullcon, HITB, OWASP NZ and Infosec Girls & heads OWASP Pune chapter.
The cultural perception of Product Security often needs a shift. Rather than being seen as roadblock or a mere checkbox, Product Security should be viewed as an enabler of business growth and innovation. Product Security's ultimate goal is…
An experienced Information Security leader with a track record of guiding security teams and programs across Asia, Europe, & North America. She enjoys taking on the challenge of "making friends" with SDEs, driving lean and effective AppSec solution-ing & ensuring security isn’t just a checklist exercise.
A common misconception is that Product Security is solely the responsibility of dedicated security teams. In reality, engineers across various domains—such as software development…
Michael has served in a variety of roles in offensive and defensive cybersecurity throughout his career, and is passionate about ensuring people who rely on medical devices can expect these devices to be secure.
The biggest misconception is that the main role of Product Security teams is to say “no” to new ideas and initiatives. In reality, their primary function is to enable secure product launches by providing clear…
Brad is Product Security officer for one of the world's largest manufacturers of connected medical devices. He’s an advocate for better national security policy & works to help political leaders understand how they can make America's digital infrastructure more secure.
Cybersecurity teams are part of a larger conflict happening at the geopolitical scale. Adversaries today are very likely to be nation-state actors acting in the diplomatic and political interests of their…
Software engineer-turned-dark-side AppSec Engineer with a deep passion for both coding & security - he’s also Co-Leader of OWASP SPVS. He firmly believes that "Truth Is in the Code," if you cannot find the truth there, open a terminal & hack it with unrelenting curiosity & determination.
Product Security is often perceived as a straightforward task, but it involves a detailed process that requires careful execution. The tasks include determining what to scan and secure, as well as…
The Leaders Securing the Software
the World Depends On
The rapid acceleration of software development demands a fundamental shift in our security approach. To understand this, we interviewed the most influential Product Security leaders from the world’s biggest enterprises. Read the full interviews for:
- Debunking Myths: Unveiling the critical misconceptions around Product Security
- Future-Proofing Security: Exploring how forces (including AI) are transforming the role of Product Security in the next 3-5 years
- Path to CISO: Invaluable advice & leadership lessons for aspiring Product Security professionals
Get Your Hands On The 2025 Limited Edition All-Stars Trading Cards
Security innovation deserves to be celebrated! Whether you’re driving change, protecting critical software, or shaping the future of product security, we want to recognize your impact.
We’re giving away limited edition All-Stars trading cards - because every security star deserves a reward.
The first 100 people to download the full All-Stars interviews will get the 2025 trading cards.
Meet The All-Stars
Coming Soon To A City Near You
Download The Full
All-Stars Interviews
Fill out the form to get access
to the entire interview series