Home | Bug
Bounty | Threat Modeling | About me
Pragmatic
Product Security: doing less to achieve better security outcomes
Perfection is achieved, not when there is nothing more to add,
but when there is nothing left to take away.
- Antoine de
Saint-Exupéry
Application Security has historically been challenging, requiring
both deep technical expertise and change management skills.
The AI
acceleration has made more obvious the pitfalls of the current best
practices.
Challenges
- Security reviews cannot keep up with the increased volume of AI
augmented pull requests
- Threat modeling adoption is low because the process is too
heavy
- It is hard to figure out if secure coding trainings do change
behaviours
- Time spent triaging SAST findings does not seem worth it
- Managing bug bounty reports is overwhelming, not only because of AI
noise, but also as the organization cannot fix efficiently too many
vulnerabilities
- Security champions are less engaged as they spend most of their time
bumping version numbers of dependencies
- Supply chain incidents eat more and more of the limited bandwidth
dedicated to deep proactive work
Moving forward
Rather than adopting a standard set of best practices, with the
illusion of breadth of coverage, defining priorities is paramount.
It requires:
- Security activities that are REALLY measurable both in terms of
outcomes and effort
- Making explicit what NOT to do now, next and later, but also
why
- Being able to articulate from a customer trust point of view, thanks
to a consistent framework, why doing less in terms of volume will bring
more results
- Quaterly reassessments, particulary with the relentess pace of
AI
Do
you want to reboot your application security initiative?
Or are you
trying to relieve some pressure from the team you are managing?
Are
you starting from scratch a product security roadmap?
Let’s talk: contact@appsecmatters.com