The document summarizes a discussion between Jeff Williams and security professionals Jonathan Chow and Neeta Maniar about challenges in application security. Some key points discussed include that the same vulnerabilities have been occurring for 10+ years due to a lack of developer education, security teams being overwhelmed and understaffed, and the need to better integrate security practices into development workflows and provide metrics to developers on their own vulnerabilities and progress over time. The professionals emphasized the importance of building relationships between security and development teams to improve visibility into systems and catch issues earlier.

1. THE
SECURITY
INFLUENCER’S
CHANNEL
HOSTED BY JEFF WILLIAMS
CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY
Episode One:
Jonathan Chow and Neeta Maniar
Live Nation Entertainment

2. JEFF WILLIAMS
“What’s the one thing that deeply bothers you
about the way people practice application
security today?

3. NEETA MANIAR
“…for me, it’s that we’re finding vulnerabilities
that existed 10 years ago…we’re still not
getting good at fixing [them].”

4. JONATHAN CHOW
“I’ve been involved in part of an applications
program here for 12 years now, and we’re still
having developers creating the same flaws…so
I think the education piece is what’s missing.
We’ve got to stop making the same mistakes.”

5. JEFF WILLIAMS
“I couldn’t agree more…I wrote the first
version of the OWASP Top Ten in 2002, and it’s
essentially the same stuff in there still after 12
years. It’s really not changing, so that’s a bit of a
failure for the security industry.”

6. JEFF
“How do you stay on top of your portfolio of
applications, the developers writing new code,
and new vulnerabilities coming out?”

7. JONATHAN
“It’s almost a job unto itself….I try and
maintain good relationships with our business
partners…because in some cases they’ll go
outside approved IT folks to get it done
cheaper, faster, better. And that’s a primary
driver for rogue work happening.”

8. NEETA
“We’ve just hired what we call ‘Business
Security Leaders’ so they’re our liaison….we’re
just trying to make [security] more visible in
those areas….we’re trying to empower the
teams to do that better themselves.”

9. JEFF
“Interesting. I like that. I’ve been studying the
ways that industrial factories monitor their
complex systems….What I’m wondering…It
sounds like what you’re doing is like a human
instrumentation where you’re gathering data
through relationships with various teams.”

10. NEETA
“I think it’s really important…scanning
technology…and it’s important for that to be
well integrated into the tools we already use.
Any SDLC process, whether you’re doing QA or
builds, trying to inject security into those
particular tools is going to be important for
any instrumentation.”

11. JONATHAN

12. JEFF

13. JEFF WILLIAMS
“How do you feel about your visibility into the
apps and other systems that you run?...What do
you do to fill in the gaps and make it look up-to-
date?”

14. JONATHAN
“What Neeta said earlier was not enough
bandwidth. It’s true for every IT security shop
that I’ve ever talked to or been a part
of….You’re always going to be overwhelmed.
You’re always going to be outnumbered.”

15. JEFF
“That strikes me as exactly what needs to
happen…the security experts really need to get
out of the way and enable the development
teams to do these things for themselves with
automation and guidance and training.”

16. NEETA
“I remember working at GE and having that-
you’d have such a long time between when an
application requirement came out and when it
was released…at an agile environment, if
you’re not there then you miss it and it’s kind of
harder now to have that position.”

17. JONATHAN
“It’s actually the worst of all worlds if you miss
it because…you either slow them down and
they won’t come back, or you interrupt their
process and they see you as incompetent….We
risk becoming the proverbial dinosaur where
we don’t have a place in the new world.”

18. JEFF
“Do you feel that’s the only pressure on security
groups? The move to Agile and DevOps kinds of
organizations? Or are there other things that
are changing the way people do security or
security information?”

19. NEETA
“I think there’s also a positive change. I think
that application security is a pretty hot topic
now, more than it was years ago, it’s more
visible. We joke that we use security breaches
as our leverage to convince teams to do
more.”

20. JEFF
“I know we’ve broken out of the echo chamber
when my mom calls and says, “What’s going on
with this HeartBleed thing?”

21. JEFF
“I want to know: what are the key metrics that
you want to know so you can sleep at night?”

22. JONATHAN
“A raw number of flaws in applications is a key
metric for me.”

23. JONATHAN
“I would love to get down to the point where I
can go to a specific developer and say, “You
know, you’ve been making cross-site scripting
errors since 2006. You’ve made it January here,
you made it in March here, you made it in
October here, I need to teach you something.”

24. JONATHAN
“If we can get to that point where the
developers and development teams and
outsourced development shops can accept the
fact that security teams are here to make them
better at their jobs…then I think it will gain
more momentum.”

25. NEETA
“I think that any metrics that help us
understand the progress, trending metrics,
from point A to point B…I think that’s been
really helpful for us to say to a team,
‘Congratulations!’”

26. NEETA
“On the educational side, vulnerabilities by
technology so we can figure out, ‘What should
we be training our teams on?’”

27. JEFF WILLIAMS
WITH
JONATHAN CHOW
AND
NEETA MANIAR