At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guests Matt Johansen from Reddit, Robin Franklin Guha from Meta, and Matt Healy from SeatGeek. Explore their insights on scaling application security programs, meeting developer needs, and leveraging AI and machine learning for security.

Transcript

Tom Eston: Welcome back to the Bishop Fox live stream from the RSA conference in San Francisco and joining me to talk about application security strategies for the modern enterprise is my esteemed panel. So, Johansson. He's head of software security at Reddit, and we also joined by Robin Franklin Guha, security engineer at Meta and last but not least is Matt Healy. He's a senior application security engineer at SeatGeek, also a Bishop Fox alumni. Welcome. We're talking about application security strategies. You all work for dynamic organizations, right? Social media, ticketing for concerts and sports events. These are rapidly changing environments, I'm sure. Let's start with you, Matt. What are some of the challenges you've encountered at Reddit?

Matt Johansen: One of my big initiatives for AppSec is to stop playing the vulnerability whack-a-mole game. For a long time, it was find and fix and scan. How can we do DAST and SAST better? A lot of things changed with single-page apps, and it got harder to automatically find vulnerabilities with DAST and things like React. For me, it's about building secure defaults and guardrails into the developer's life cycle rather than just finding vulnerabilities faster. At scale, you have to build packages that everyone uses so they can't easily create vulnerabilities. Modern web frameworks have more built-in security, but developers still make mistakes. If you build secure packages that developers are happy to use, they can code and push quickly, and security doesn't have to keep up with scanning all the code.

Tom Eston: So, Robin, what do you see at Meta as your challenges?

Robin Franklin Guha: In my time at Meta, I've focused on internal tools and enterprise space. It's been a challenge to understand the different technology stacks and their underlying infrastructure. We've prioritized the human element, partnering closely with application and infrastructure teams to understand their priorities and risks and work with them to remediate issues.

Tom Eston: Nice, nice. So, Matt at SeatGeek, what are you seeing?

Matt Keeley: SeatGeek is interesting. We're a small team of security engineers with about 15 people and roughly 700 to 800 software engineers. It's about keeping up with their scalability. We're building a lot to be secure by default and tying it into the developer experience. Security can be hard to implement, so we're trying to automate infrastructure to make it easier for developers. For example, if a developer needs an S3 bucket, they can do it in three clicks instead of using the CLI.

Tom Eston: Nice. It's a theme I've heard from others—making the developer experience better and not being a roadblock. What strategies, methodologies, or tools have you found helpful in enabling developers from a security perspective?

Matt Johansen: The greatest impact comes from meeting developers where they are. Instead of giving them a security tool that disrupts their workflow, we look for tools that integrate with their environment, like GitHub PR. We've used tools like Monocle from Chime, which adds a badge to GitHub repos to indicate health. It's easy to create new checks, and developers can build their own checks too. It's about speaking their language and making security part of their workflow.

Tom Eston: Nice. What have you seen successful at Meta?

Robin Franklin Guha: We've become data-driven, surfacing data in our internal tools. For example, if you request permission to a tool, we now surface threat intelligence and describe a raw risk level. Making security data sets accessible and queryable by folks outside of security has been effective in helping them understand their service's security.

Tom Eston: Nice. What about you, Matt?

Matt Keeley: We've shifted left, running security scans in pre-commit hooks before code is pushed to a repository. We run security scans, static analysis, and prevent secrets from being put into code. It's about getting feedback loops early in the lifecycle to prevent issues before they become big problems.

Tom Eston: Great insights. AI is a big theme at RSA this year. How do you see AI changing how developers work and application security?

Matt Johansen: I don't think we've seen the peak of AI's impact yet. There are tools like co-pilots helping developers, but we haven't seen AI in major breaches yet. I'm more worried about developers blindly trusting AI-generated code, as it can introduce vulnerabilities. We're keeping an eye on AI's potential, especially if it lowers the skill bar for attackers.

Robin Franklin Guha: With a background in machine learning, I've deployed models for security use cases like vulnerability triage and detection. Traditional machine learning is very useful in scaling security programs. Issues with large language models like hallucinations are a concern, but as data quality improves, so will the models.

Matt Keeley: We're using AI to analyze data-intensive tasks like detecting bots and fraud. AI has significantly reduced our fraud percentage and helped us understand and mitigate bot traffic. It's been beneficial for our organization.

Tom Eston: Bots are a challenge across social media and ticketing. How are you dealing with bots from an AppSec perspective?

Matt Johansen: At Reddit, it's such a big problem that we have a dedicated platform safety and trust team handling it. We try to drive impactful business logic to authenticated accounts to mitigate bot traffic.

Robin Franklin Guha: We have a dedicated team focused on bot detection and anti-scraping, using AI to detect bots effectively.

Tom Eston: Last question—what's your best advice for other AppSec teams facing similar struggles?

Matt Johansen: Understand code and be able to code a bit. The age of security analysts running tools to find vulnerabilities is slowing down. It's more impactful to have engineers who can speak the developers' language and build custom tools for security.

Robin Franklin Guha: Invest in your data and logs, including configuration data. This allows you to take a broad view of your technology and prioritize engagements based on trends.

Matt Keeley: Fill the gap and work closely with developers. Implement security at scale without causing blockers, and be realistic about what your team can achieve.

Tom Eston: Great advice. Where can people find you online? Start with you, Matt.

Matt Johansen: I'm Matt J on Twitter, and I run a newsletter called Vulnerable You.

Robin Franklin Guha: Find me on LinkedIn under Robin Franklin. I've got upcoming conference talks in vulnerability management and threat detection.

Matt Keeley: I'm Matthew Keeley on GitHub, LinkedIn, Twitter, and TikTok. You can send me memes.

Tom Eston: Thanks for being on the panel. Enjoy the rest of the conference. Stay tuned for more from the Bishop Fox live stream at the RSA conference in San Francisco.