S6E5: Resilient Cyber w/ Jeevan Singh

In this episode of Resilient Cyber, Chris Hughes speaks with Jeevan Singh, an Application Security (AppSec) leader, to explore how to scale AppSec programs effectively. The conversation covers vulnerability management, tooling, and team-building strategies.

Key Highlights:

• Scaling AppSec: Jeevan shares his approach to scaling AppSec, emphasizing the need for security programs to grow at the same rate as engineering teams. His goal is to ensure that operational workloads don’t increase linearly with the number of engineers.

• Vulnerability Management: He presents a crawl-walk-run-sprint methodology for integrating security tools and managing vulnerabilities, emphasizing the importance of slowly raising the bar without overwhelming engineers.

• Tooling Integration: Jeevan discusses the importance of selecting the right tools, using a rubric-based approach, and involving engineers to ensure tools provide low friction and enhance developer experience. He highlights the need to focus on PR integration to minimize context switching for developers.

• Eliminating Vulnerability Classes: He talks about the benefits of working with engineering teams to eliminate entire classes of vulnerabilities, pointing to examples like React and service-side request forgery (SSRF).

• Team Building: Jeevan outlines a four-bucket framework for building AppSec teams, focusing on technical skills, influence, software engineering, and program management. He also emphasizes the need for empathy in team members to foster collaboration and problem-solving.

• Open Source vs. Proprietary Tools: Jeevan navigates the choice between open source, proprietary, and in-house solutions, noting that while he often prefers vendors, some cases require building custom tools to meet unique needs.