Beyond Whack-a-Mole: Modern AppSec Strategies for High-Growth Companies
Security leaders from Reddit, Meta, and SeatGeek reveal how they've transformed application security from a reactive vulnerability hunt into a seamless part of the development process, creating secure environments that maintain development velocity.
Session Summary
In this panel from RSA Conference 2024, application security leaders Matt Johansen (Reddit), Robin Franklin Guha (Meta), and Matt Keeley (SeatGeek) join Bishop Fox's Tom Eston to share how they're reinventing security for high-velocity development environments. Moving beyond the traditional "find and fix" vulnerability management model, these organizations are pioneering approaches that integrate security directly into development workflows while maintaining the speed their businesses demand.
The conversation reveals a significant shift in application security philosophy—from detecting vulnerabilities after code is written to preventing them from being introduced in the first place. Each panelist emphasizes meeting developers where they are by integrating security tools into existing workflows rather than disrupting them. They share concrete examples of this strategy: Reddit's implementation of health badges in GitHub repositories that provide immediate security feedback, Meta's approach to making security data accessible and queryable throughout the organization, and SeatGeek's pre-commit hooks that prevent security issues before code is even pushed. The discussion also explores the emerging impact of AI on application security, with panelists highlighting both opportunities for enhanced security operations and concerns about developers blindly trusting AI-generated code. Throughout the session, these leaders stress that modern application security teams must evolve beyond running scanning tools to become engineers who understand code, speak developers' language, and build systems that scale security across hundreds or thousands of developers.
Key Takeaways
- Stop the vulnerability whack-a-mole game - Shift from reactive vulnerability scanning to building secure defaults and guardrails directly into developer workflows.
- Meet developers where they are - Integrate security tools into environments developers already use (like GitHub) rather than forcing them to adopt separate security workflows.
- Build secure-by-default components - Create packages, libraries, and infrastructure that developers want to use that also have security built in, making it harder to introduce vulnerabilities.
- Implement early feedback loops - Use pre-commit hooks and other shift-left strategies to catch security issues before they enter repositories, preventing problems before they start.
- Make security data accessible - Transform security information into queryable datasets that developers and other stakeholders can use to understand their security posture.
- Focus on security engineering, not just analysis - Modern AppSec requires professionals who can code, understand developer workflows, and build custom tools that scale security across the organization.
Transcript
Tom Eston: Welcome back to the Bishop Fox live stream from the RSA conference in San Francisco and joining me to talk about application security strategies for the modern enterprise is my esteemed panel. So, Johansson. He's head of software security at Reddit, and we also joined by Robin Franklin Guha, security engineer at Meta and last but not least is Matt Healy. He's a senior application security engineer at SeatGeek, also a Bishop Fox alumni. Welcome. We're talking about application security strategies. You all work for dynamic organizations, right? Social media, ticketing for concerts and sports events. These are rapidly changing environments, I'm sure. Let's start with you, Matt. What are some of the challenges you've encountered at Reddit?
Matt Johansen: One of my big initiatives for AppSec is to stop playing the vulnerability whack-a-mole game. For a long time, it was find and fix and scan. How can we do DAST and SAST better? A lot of things changed with single-page apps, and it got harder to automatically find vulnerabilities with DAST and things like React. For me, it's about building secure defaults and guardrails into the developer's life cycle rather than just finding vulnerabilities faster. At scale, you have to build packages that everyone uses so they can't easily create vulnerabilities. Modern web frameworks have more built-in security, but developers still make mistakes. If you build secure packages that developers are happy to use, they can code and push quickly, and security doesn't have to keep up with scanning all the code.
Tom Eston: So, Robin, what do you see at Meta as your challenges?
Robin Franklin Guha: In my time at Meta, I've focused on internal tools and enterprise space. It's been a challenge to understand the different technology stacks and their underlying infrastructure. We've prioritized the human element, partnering closely with application and infrastructure teams to understand their priorities and risks and work with them to remediate issues.
Tom Eston: Nice, nice. So, Matt at SeatGeek, what are you seeing?
Matt Keeley: SeatGeek is interesting. We're a small team of security engineers with about 15 people and roughly 700 to 800 software engineers. It's about keeping up with their scalability. We're building a lot to be secure by default and tying it into the developer experience. Security can be hard to implement, so we're trying to automate infrastructure to make it easier for developers. For example, if a developer needs an S3 bucket, they can do it in three clicks instead of using the CLI.
Tom Eston: Nice. It's a theme I've heard from others—making the developer experience better and not being a roadblock. What strategies, methodologies, or tools have you found helpful in enabling developers from a security perspective?
Matt Johansen: The greatest impact comes from meeting developers where they are. Instead of giving them a security tool that disrupts their workflow, we look for tools that integrate with their environment, like GitHub PR. We've used tools like Monocle from Chime, which adds a badge to GitHub repos to indicate health. It's easy to create new checks, and developers can build their own checks too. It's about speaking their language and making security part of their workflow.
Tom Eston: Nice. What have you seen successful at Meta?
Robin Franklin Guha: We've become data-driven, surfacing data in our internal tools. For example, if you request permission to a tool, we now surface threat intelligence and describe a raw risk level. Making security data sets accessible and queryable by folks outside of security has been effective in helping them understand their service's security.
Tom Eston: Nice. What about you, Matt?
Matt Keeley: We've shifted left, running security scans in pre-commit hooks before code is pushed to a repository. We run security scans, static analysis, and prevent secrets from being put into code. It's about getting feedback loops early in the lifecycle to prevent issues before they become big problems.
Tom Eston: Great insights. AI is a big theme at RSA this year. How do you see AI changing how developers work and application security?
Matt Johansen: I don't think we've seen the peak of AI's impact yet. There are tools like co-pilots helping developers, but we haven't seen AI in major breaches yet. I'm more worried about developers blindly trusting AI-generated code, as it can introduce vulnerabilities. We're keeping an eye on AI's potential, especially if it lowers the skill bar for attackers.
Robin Franklin Guha: With a background in machine learning, I've deployed models for security use cases like vulnerability triage and detection. Traditional machine learning is very useful in scaling security programs. Issues with large language models like hallucinations are a concern, but as data quality improves, so will the models.
Matt Keeley: We're using AI to analyze data-intensive tasks like detecting bots and fraud. AI has significantly reduced our fraud percentage and helped us understand and mitigate bot traffic. It's been beneficial for our organization.
Tom Eston: Bots are a challenge across social media and ticketing. How are you dealing with bots from an AppSec perspective?
Matt Johansen: At Reddit, it's such a big problem that we have a dedicated platform safety and trust team handling it. We try to drive impactful business logic to authenticated accounts to mitigate bot traffic.
Robin Franklin Guha: We have a dedicated team focused on bot detection and anti-scraping, using AI to detect bots effectively.
Tom Eston: Last question—what's your best advice for other AppSec teams facing similar struggles?
Matt Johansen: Understand code and be able to code a bit. The age of security analysts running tools to find vulnerabilities is slowing down. It's more impactful to have engineers who can speak the developers' language and build custom tools for security.
Robin Franklin Guha: Invest in your data and logs, including configuration data. This allows you to take a broad view of your technology and prioritize engagements based on trends.
Matt Keeley: Fill the gap and work closely with developers. Implement security at scale without causing blockers, and be realistic about what your team can achieve.
Tom Eston: Great advice. Where can people find you online? Start with you, Matt.
Matt Johansen: I'm Matt J on Twitter, and I run a newsletter called Vulnerable You.
Robin Franklin Guha: Find me on LinkedIn under Robin Franklin. I've got upcoming conference talks in vulnerability management and threat detection.
Matt Keeley: I'm Matthew Keeley on GitHub, LinkedIn, Twitter, and TikTok. You can send me memes.
Tom Eston: Thanks for being on the panel. Enjoy the rest of the conference. Stay tuned for more from the Bishop Fox live stream at the RSA conference in San Francisco.
