Episode #262 with Ariel Shin

Building a Security Program

This week on episode #262 of Absolute AppSec, Ken (@cktricky) and Seth (@sethlaw) are joined by Ariel Shin, a Security Engineering Manager at Datadog after a three-year stint at Twilio where she worked as an engineering manager in product security, a product security team lead, and a senior product security engineer. This year at BSides SF 2024, she presented on her time at Twilio in a retrospective talk entitled “Six Years in Review: Transforming Company Culture to Embrace Risk.” The video from Bsides SF can be found here: https://www.youtube.com/watch?v=cQE1OqCpeI8. Before Twilio, Ariel worked at one medical as an appsec engineer as well as spending time as a Technology and Privacy consultant with Protiviti. She also helps build the professional appsec and prodsec communities as a frequent commenter and presenter at security conferences.. The full video from the episode can be found on the Absolute AppSec Youtube Channel at https://www.youtube.com/watch?v=Sm3K6x5J0dQ.

After starting in penetration testing at a consulting firm, Ariel’s passion for application security grew after realizing the need for more sustainable security solutions beyond yearly pen tests. She wanted to be part of the solution for security vulnerabilities rather than simply delivering reports year after year with no real change. With her role at One Medical, Ariel dived into mobile security, deepening her passion for securing applications and improving collaboration between developers and security professionals until moving to Segment, later acquired by Twilio, to learn from industry leaders and build a personal brand in the security community. Today, as the lead of the Application Security Practices team at Datadog her focus is on secure-by-design programs and secure code training for engineers. This role allows her to combine her passion for security with her desire to help implement long-term solutions that shape the future of application security from the inside out.

“What democratizing vulnerability management means is that we all share risks… There needed to be this shift [in expectation] that you couldn’t just turn this platform on and expect all of your vulnerabilities to go down… this is something that they’re going to prioritize [as well].”

Ariel

There are two separate teams at Datadog: the product team develops external-facing security solutions for Datadog customers, while the other is more internal-facing. Ariel’s team is responsible for secure-by-default programs, secure-by-design initiatives, threat modeling, and secure code training for engineers— intended for integrating security considerations into the development process. They work closely with Datadog’s engineers to implement secure coding practices through training and threat modeling, and they help the company track and manage vulnerabilities. This dual approach—separate teams for internal and external security—enables Datadog to innovate and enhance security for its products and infrastructure. These secure-by-design programs offer a compelling model for the future of strengthened security posture within the organization, helping teams address risks early and avoid costly remediation later.

“When I’m providing a secure recommendation during a threat model, I’m not telling the developer, ‘These are the best practices, figure out how you’re going to implement that.’ I can attach a product or a feature that they can use, and it makes their jobs a lot easier […] There are benefits to having a company that’s producing a lot of these features for us to consume.”

Ariel

One of the most unique advantages that Ariel’s team enjoys is using their own products internally before releasing them to customers, allowing Ariel’s team to directly influence the features and capabilities of the company’s security tools. This close collaboration with the product team ensures that tools are practical, effective, and user-friendly since they are developed and tested by those who need them the most. Internally, this process eliminates the need to battle for budget allocations for third-party tools, as the security products being developed in-house are automatically available to Ariel’s team. As a result, they can focus on improving security instead of navigating corporate red tape— a major advantage that not many companies have. Many of the tools her team has developed have proved especially useful, including The Sensitive Data Scanner (SDS), which functions like a digital black marker, scanning and redacting sensitive data in real time, especially useful for handling other sensitive information. Another tool is the Datadog Security Scorecard, which provides a clear snapshot of an application’s security posture to measure performance over time and prioritize areas that need improvement. There are also static analyzers, which automatically scan code for vulnerabilities before it’s deployed. These tools replace traditional AppSec methods, allowing teams to focus on more strategic initiatives rather than manually reviewing code or reports.

Ariel, Seth, and Ken touched on a common struggle for security teams— justifying budgets for security tools, especially when those tools aren’t directly tied to compliance. Ariel noted that while tools like static analyzers are often easy to justify because they address clear compliance needs, other valuable tools— like the security scorecard— can be harder to get approved. Her experience at Datadog, where her team benefits from internally developed tools, is not the norm. Many security professionals have to fight for every dollar, often needing to build a strong case to convince leadership of the value of investing in additional security measures. Ariel’s situation at Datadog, where these tools are already integrated into the company’s ecosystem, allows her to bypass these budgetary hurdles and focus on improving security processes. For teams facing budgetary challenges, Ariel suggested focusing on the business value of security tools. By framing them as essential for protecting the company’s assets and reputation, security leaders can make a more compelling case for investment.

This episode is sponsored by Cloud Security Partners - your partner in dealing with modern risk. Cloud Security Partners works with customers to ensure that their cloud solutions are architected with security in mind. Talk to them today and mention Absolute AppSec for a complimentary cloud maturity review. While you're at it, check out their podcasts: Cocktails and Cloud and Relating to DevSecOps.

If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up a stylish windbreak, causing jealousy amongst all your friends during the changes in temperature. As always, join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

https://youtube.com/live/OMyqgehMDhU - Episode #248 with Rahil Parikh - Building AppSec Programs - Rahil shares his thoughts on application security, cloud security, and leading teams toward success.

https://youtu.be/wNODQSmGUTQ - Episode #182 - Seth and Ken express some opinions during this episode about disclosures and building out security programs.

https://youtu.be/lC5esDhQ9uE - Episode #26 with Justin Larson - Building an Application Security Program - From the first year of the podcast, the duo are joined by Justin to dig into opinions, strategies, and challenges in building an application security program.

Absolute AppSec Happenings

https://pluralistic.net/2023/08/27/an-audacious-plan-to-halt-the-internets-enshittification-and-throw-it-into-reverse/ - A followup to Cory Doctorow’s talk at DEF CON on reversing the enshittification of the Internet.

https://outpost24.com/blog/exploiting-permissive-cors-configurations/ - In-depth security research on CORS headers and how it affects exploit attempts. Good background for discussing security headers with the relevant stakeholders.

https://github.com/dhammon/ai-goat - Keeping with the goat theme for intentionally-vulnerable applications, AI Goat is focused on learning AI security through a series of vulnerable LLM CTF challenges.

Upcoming Events

Can you find either Seth or Ken?

October 22-25, 2024 - SaintCon - Provo, UT - Seth will be at the AppSec Community booth most days. Come try out the beginner’s challenges or find and fix vulnerabilities in code in the AppSec Challenge.

November 2-3, 2024 - Practical Secure Code Review - AI Enhanced - DEF CON Trainings, Seattle WA - In-person training session alongside other DEF CON trainers. This will be an intimate event with other prominent DEF CON organizers and trainers. Worth it for the secure code review but also the friends we make along the way.

November ??, 2024 - Harnessing LLMs for Application Security - Virtual Training, date TBD. - A new course that focuses on strategies for using more than just the chat interface of an LLM to speed up your Application Security tasks.

November 21-22, 2024 - DeepSec, Vienna, Austria - Seth will be presenting “Modern vs. 0ld 5k00l” where everything old is new again.