Resilient Cyber

Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it?

Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens.

Chris: In your book you touch on the dichotomy of shifting security left while minimizing friction between the Security and Development teams. This is a common challenge many security teams face. Can you elaborate on some of your recommendations on this front?

Chris: You also emphasize the role of security champions and democratizing security to some extent through this approach. What exactly is a security champion and how do organizations go about doing this?

Nikki: You mention threat modeling in your book - what do you think is the best place for Application Security programs to start when building in threat modeling? This is typically a higher level of maturity for programs and I'm curious at what time it's best to integrate threat modeling?

Chris: We're obviously seeing a big push for robust CICD pipeline tooling for security such as SAST, DAST, SCA, Secrets Scanning and So on. Of course this tooling all produces noise. You lay out some strategies in the book on dealing with that. Can you touch on some of those here?

Chris: I would be remiss if I let you go without discussing Software Supply Chain Security and SBOM's. I know you touch on SCA, OSS and SBOM's in the book. Why do you think it is key for organizations to start including this in their appsec programs?

 Nikki: What do you think are the greatest concerns when building a mature application security program? What are the biggest impediments? 

Nikki: What does cyber resiliency mean to you?