Quickfire AppSec interview - Jonathan Bennun, VP of Product at Bright

00:00:03
Speaker 1: Hello everyone to welcome to our Flash interview. I am here with Jonathan Bennun, our VP of product here at Bright Check. We are excited to have Jonathan and I’m going to jump right into the questions. Jonathan, tell us what changes in AppSec have you seen in the last couple of years? What do you expect this year to be to be happening in this space?

00:00:25
Speaker 2: I’m glad you’re answering this question. Just out of nowhere, out of the blue without us ever having coordinated it. I think what’s interesting about AppSec is it’s fighting in so many more frontiers than I’ve been before. You know, it used to be just about vulnerable code. You’d be chasing your engineers, but now it’s about all of a sudden it’s about software supply chain security. It’s infrastructure. Like infrastructure is code, and all of a sudden we see many more apps. It’s not just apps that you push publicly to the world. It’s also internal apps that you have in house and you expect it to cover legacy applications like that PHP app that you build somewhere back in 2007 and, and you have microservices that now everybody’s rapidly deploying and across multiple environments and it’s just a lot. So my take is that we tend to overvalue shiny features and that don’t necessarily add a lot of value right now. And we undervalue how long it takes to adopt important tools and frameworks. So just the fact that more app security teams right now are using OWASP or MIT or attackers or baseline I think is pretty big, is pretty important. And I think having more structure and more focus just around that, it helps a lot. And in terms of how the field is evolving, I think there’s so many several ways to take this. Like everybody wants to talk about machine learning or AI, but I think what we’re going to see is more of the different tools we’re working on, whether it’s like scanners taking advantage of things like metadata from behavioral analysis tools, or we’re going to see vulnerability management that consolidates input and alerts from multiple sources. So we started seeing a little bit of that in the last few years. But I think we’re going to see a lot more of that in the next year or so.

00:02:35
Speaker 1: Absolutely sounds like there’s simply more complexity for the AppSec teams to deal with more information as well that they have to deal with. So how should they react? What should an absent leader and their team really be focusing on this year to deal with it and prepare themselves for whatever may be happening?

00:02:54
Speaker 2: Right. So I’m going to be again, I like being the contrarian. I think it’s not it’s not going to be about how you adopt another tool and not necessarily another framework. You don’t need five frameworks, you need one or two that help you focus. So I’m going to focus on the behavioral. Don’t throw things over the fence. Don’t do them in a way that is disjointed, which I think a lot of organizations do not in a way that is malicious or purposeful. Just the way that organizations have gotten used to working like, I’ll do mine and you do yours. And we know that’s just not really producing the right outcome. So I’m going to say something else. I’m going to say you’re an AppSec practitioner. Great. Go have coffee with people. Go have coffee with development teams in infrastructure teams and lean into the SDLC. Don’t send your silo. And again, everybody else is going to tell you to implement this or that. But I just don’t think that one more tool unless again, you look you have the right suite of tools in terms of static code, dynamic code, vulnerability management. Unless you have those already, one more tool is not going to be the answer. So I think if you’re trying to be truly impactful in AppSec, and especially if you’re still building your résumé, then one of the biggest issues you’re dealing with is the lack of communication, just plain communication, specifically within generic. So go have coffee with them. Are any better tools and practices than ever before and you can just put to use if communication is right.

00:04:35
Speaker 1: Yeah. So it sounds like people more than tools this year and really building those relationships with other teams in the business which should help prevent some of the risks that you might be exposed to. And let’s, let’s ask about those risks. So what do you expect are the big ones this year? Maybe more so than the previous years in terms of risks and possible types of attacks that organizations really should be focusing on? And how do they prepare themselves for those specific types of risks?

00:05:08
Speaker 2: Right. Good news and bad news. It’s going to be pretty boring in terms of it’s going to be more of the same. That’s what’s going to dominate. Ransomware check. Misconfiguration check, Phishing check. Unfortunately, there’s just still very effective at scale that can continue to be so. And again, there’s always going to be the shiny thing about. Well, thanks to Chad. We’re going to see much better phishing emails. Right. But I think I think the point is that we tend to underestimate the value of little things that we need to do. For example, if as a company, you implement MFA, do it right, you know, do the project right, push it all the way through to all apps and users. So just closing small gaps can go a long way. Just and I’ll give another example again, looking at the SDLC as an OPSEC. Just do it a little bit better in terms of don’t wait until you don’t have any leverage within the SDLC. Start earlier. Get to a point when you pick up the little things. So many little things like cross capturing, for instance, you can identify relatively early. And don’t let them escalate to the point that it gets a lot more costly to fix them.

00:06:34
Speaker 1: Awesome. Thank you. That’s it. That’s our three questions. A quick-fire interview. Thank you, Jonathan. Really appreciate your time. And thank you, everyone who will listen and watch this quick interview.