Venture Guides Dinner Series:  Modern AppSec in Hybrid Cloud Environments

With the rapid migration of infrastructure to the cloud and the accelerated pace of application deployment, the proliferation of vulnerabilities, compounded by technical debt, presents an urgent concern for security leaders. And, “while the typical enterprise network contains millions of vulnerabilities, most teams can patch only 10% of those vulnerabilities per month.  This leaves a massive gap in security coverage; there remains a big need in the market for security teams to be able see, prioritize and remediate vulnerabilities with the right people, tools and measurement. 

The Venture Guides team was excited to dive into this topic with a panel of local security leaders and a roomful of CISOs and AppSec leaders from Bank of America, NS1, Pega Systems, Rapid7, Salesforce, Santander,  State Street and many others to discuss the growing challenges of managing application security in ever-changing hybrid cloud environments. 

Our panelists, including Phillip Hayes from Tenable, Erik Peterson from CloudZero, Ryan Benson from Stratscale and moderator Harshil Parikh, co-founder of Venture Guides portfolio company Tromzo, covered how collaboration, communication, and cultural alignment are critical to pursuing effective vulnerability and risk management within organizations. Below, we’ve highlighted some of the areas of focus and learnings that were discussed.

We look forward to continuing these conversations next week at RSA. (If you are attending RSA and would like to meet with the Venture Guides team, please email us at rsvp@ventureguides.com). 

1. Vulnerability Data and Testing Objectives: Understanding vulnerabilities in apps and systems is crucial for targeted testing. Rather than testing everything, focusing on known vulnerabilities allows for a more efficient use of resources and better preparation for potential issues. Testing vulnerabilities is not just about identifying weaknesses but also understanding the underlying architecture and operational processes. It's essential to ensure that security measures are integrated into the design and operation of systems effectively.

2. Collaboration and Empathy: Building a collaborative relationship between security teams and developers is vital. Empathy towards developers' workload and challenges can lead to more effective cooperation, and therefore more efficient resolution. Instead of imposing security tasks, security teams can work with developers to understand their challenges and find ways to automate security processes.

3. Automation and Risk Acceptance: Automating security processes, such as risk acceptance, can streamline operations and reduce manual effort. Implementing risk acceptance as code allows developers to seamlessly address vulnerabilities with a clear audit trail, reducing friction and enhancing efficiency.

4. Aligning Security with Business Incentives: Understanding the business's priorities and incentives is crucial for effective communication about security risks. Framing security discussions in terms of financial impact and aligning security goals with business objectives can facilitate decision-making and prioritize security efforts.

5. Communication and Accountability: Effective communication about security risks involves providing clear metrics and data to senior leadership. Security teams need to present the potential impact of security issues in terms that stakeholders understand, emphasizing accountability and driving action.

We look forward to our next dinner series event as we take on important topics across the Venture Guides portfolio focused on infrastructure, security and cloud.