- This Week on Absolute AppSec
- Posts
- Episode #253 with Justin Collins
Episode #253 with Justin Collins
Security Management, Product vs. Application Security
Seth Law
July 23, 2024
This week on Episode #253 of Absolute AppSec, Ken Johnson (@cktricky) and Seth Law (@sethlaw) welcome Justin Collins back to the show, a pioneering figure in Ruby on Rails security and creator of the Brakeman Security Scanner. While unplanned to start, the trio spends time discussing the importance of effective management in security. The full episode video is available on YouTube: https://youtube.com/live/QkxOztMfkoE
The discussion with Justin starts with the origins of the Brakeman Security Scanner (https://brakemanscanner.org/), an open-source Ruby on Rails static analysis tool that identifies security issues in Rails applications. Initially started as an internship project at AT&T Interactive, it was eventually commercialized as Brakeman Pro, which was later acquired by Synopsys and integrated into their Coverity static analysis software. After a number of different positions across the industry (and after writing some supposedly dodgy C++ and Golang code at Synopses), Justin currently leads up the security team at Gusto, where he oversees product security, security engineering, GRC, and more.
In the continuing organic discussion, Justin shared his experience transitioning from technical product security roles to leading up a large security team. In his estimation, stepping back from hands-on technical work to directly focus on management and guidance for his team was difficult. Still, he finds it beneficial to understand the technical aspects of the projects his team is working on to provide more accurate direction and support.
“For me, understanding at least the shape of our code, what are our applications? What do they look like? How do they talk to each other? Where do things sit?”
With a growing team and broad responsibilities, Justin has learned the importance of delegating effectively, where he must trust his team to handle meetings and tasks but also to know when they need to come to him for guidance. This trust allows a greater focus on strategic planning and big-picture goals. This emphasis on strategic thinking amid daily tasks can be challenging to visualize, but stepping away from the day-to-day grind allows for reflection and long-term planning. "We want to take the scariest things first, get those done."
“Honestly, there’s enough people, excellent, excellent people on the team. I don’t need to be writing code. It’s a hard thing to know when to back away, when to lean in, and trusting others is obviously vital.”
A significant part of Justin’s day-to-day role is advocating for his team members’ promotions and career growth, which was a shared experience from Ken during his time at GitHub. From encouraging team members to document their achievements to building cases for promotions, it is important to ensure team members receive the recognition and opportunities they deserve. This fostering of team growth, along with technical expertise, helps product security spaces thrive.
While the trio does not dive into the technical issues around Product and Application Security much in this episode, many technicians can relate to being thrust into management roles because they are good at solving problems. Catch additional nuggets of wisdom from Justin (and Seth/Ken) by listening to the full episode on your preferred platform. Or join us in Slack. Don’t forget to grab new items at the Absolute AppSec Merch store (merch.absoluteappsec.com.)
This episode was sponsored by DryRun Security. DryRun Security delivers near-instant security code reviews and feels as if you’ve just hired a team of the best AppSec code reviewers. It gathers security context in just seconds after a developer makes a change. From that gathered context, the company’s proprietary code review process interrogates each code change based on behaviors, not just static patterns. Try it free for yourself at https://dryrun.security.Stay Secure,
Stay Secure,
Seth & Ken
https://youtu.be/few9AN1zwPE - Episode #12 - Justin joins Ken at LocomocoSec while Seth suffers at home.
https://youtu.be/4_BxM-tCjf0 - Episode #36 - Mike McCabe talks about Building AppSec Programs and Interviews
https://youtu.be/-yXMLsqmMpw - Episode #45 - Sean Poris shares his thoughts on Managing AppSec
Absolute AppSec Happenings
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github - Truffle Security details flaws in the history and storage process of GitHub and the git protocol for tracking code changes. This has large implications for exposure of sensitive data, code, and secrets.
https://www.crowdstrike.com/blog/falcon-content-update-preliminary-post-incident-report/ - We would be remiss not to mention CrowdStrike. At least they are owning up to it, but as of this moment there are still major companies struggling to come back online. All because of the lack of some pesky quality assurance testing. God speed if you are still resetting systems.
https://marshallgoldsmith.com/articles/adding-too-much-value-wont-get-you-there/ - The concept of adding too much value came up during the discussion with Justin. This article re-iterates this thought on trusting the people on your team rather than being the sole performer. Good advice.
Merch of the Week
Oh so soft and cosy. Get ready for cooler weather with the basic Absolute AppSec Hoodie. https://merch.absoluteappsec.com/listing/absolute-appsec-basic?product=227&variation=2664