Guest: Scott Gerlach (LinkedIn)
Company: StackHawk (Twitter)
One of the key challenges around application security is that the developers are often the last to find out about security bugs, long after the application has gone into production. In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Scott Gerlach, Co-founder and CSO of StackHawk, to discuss how StackHawk is giving developers tools to fix security vulnerabilities while building the software.
Key highlights of this video interview:
- When it comes to application security, developers and software engineers need to be equipped with the tools to make good decisions while building the code, not after the application has gone into production. Gerlach says they do not have to be experts in all the security aspects, but feeding them the right information can help them understand what could be a potential security problem down the line.
- Part of the challenge around this is the security team-to-engineering team ratio. Gerlach believes it’s realistically 1 security person to 150-200 engineers. There has to be a tight partnership and good working agreements between the two teams. If the engineers have the proper tools and information while writing the code, you will increase your security team capability 150 times.
- If there is a security breach, then investment goes up to recover customer trust. This is why Gerlach says it is important to become more efficient with automation and information so that you can quickly recover from breaches and other security issues and maintain levels of customer trust.
- AWS, Microsoft Azure and Google Cloud are secure by default, yet people make them insecure by configuring them incorrectly. Gerlach feels that there is a lot of tooling around cloud infrastructure and processes, but application security is lagging behind.
- Gerlach discusses the new features they added to their StackHawk platform related to deeper API security testing: the ability to use real data to test real APIs, write custom scripts, and integration for dynamic application security results to show up in pull request comments.
The summary of the show is written by Emily Nicholls.