The Application Security Podcast
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.
The Application Security Podcast
Francesco Cipollone -- Application Security Posture Management and the Power of Working with the Business
Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product security, the evolution of ASPM from SIEM solutions, and ASPM's role in managing asset vulnerabilities and software security holistically. Francesco emphasizes the necessity of involving the business side in security decisions and explains how ASPM enables actionable, risk-based decision-making. The episode also touches on the impact of AI on ASPM. It concludes with Francesco advocating for a stronger integration between security, development, and business teams to effectively manage software security risks.
Recommended Reading:
Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup by Ross Haleliuk — https://ventureinsecurity.net/p/cyber-for-builders
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Francesco Chip Malone is a seasoned entrepreneur, CEO of Phoenix Security, a contextual based vulnerability management platform, and the host of the Multi-Award winning Cybersecurity and Cloud podcast. As an author, speaker, and visionary in the cybersecurity industry, he serves as chapter chair for UK and I of the Cloud Security Alliance. Previously, Francesco led application and cloud security at HSBC and was a senior security consultant at AWS. He has keynoted at global conferences and authored several books. Outside work, Francesco enjoys running marathons, snowboarding in Italy, and savoring a single malt whiskey in his favorite London clubs. He joins us in exploring application security posture management and its distinction from classic SIEM solutions. Hey folks, welcome to this episode of the Application Security Podcast. This is Chris Romeo. I'm the CEO of Devici, also a general partner at Kerr Ventures, and joined by my good friend Robert Hurlbutt. Hey Robert.
Robert Hurlbut:Hey, Chris. Yeah. Robert Hurlbut, principal application security architect and threat modeling lead at Aquia. And great to be here again to talk about application security.
Chris Romeo:Yeah, and we're going to learn about a new category here today. Um, that it's, it's a category that I've been curious about, but I feel like I Don't know enough about it yet. So, but before we do that, we have Frank from Phoenix Security who's going to start by sharing his security origin story with us because we always start there and we want to know where people are Coming from so Frank welcome to the show and please dive right into your security origin story or how you got into this world of security.
Francesco Cipollone:so thank you Chris Thank you Robert for having me on the show. I actually started my life not as a security person but as a developer and I started working very early in the days on Uh, I don't know if you remember or who remembers of the audience, the very early origin of virtualization that was on QM or KVMSEC and Xen. And I started really hacking between, uh, hosts and operating system. And that's what got me really interested into the intricacies and deep down into the how things were built and how things were broken up together. Um, and from there that kind of switch between that and the traditional world of security that was starting building up Um, and I started my career as a trainer as well Uh, so after that I started working as a trainer because just as a software developer You didn't make enough money and Cisco and Microsoft had wonderful training So I started diving a little bit deeper in the network, Microsoft, and security was really interesting Attracting me because it was breaking stuff, but it's also was so early in the days that people didn't even know what security meant So it really got me into a passion of actually explaining what it was and what really got me into security is It is actually nothing else than doing things right. So as a developer, as a system operator, or as a network configurator, I saw security as building up things in the right way, telling people the right things to do. and helping them on that journey. So, and as a trainer, it kind of got me into that mindset. And from there, I actually start working more and more in security. So my first baby, there was a training company back in the day. So Chris, that's my affinity with you. And then I started fundamentally helping organization moving to the cloud and security was a very big thing. And the cloud were not safe. the cloud that we have today. So they were very scripty, very bulky, very rough around the edges. I don't know if anybody dealt with Microsoft at the very early days, but was nothing like we have today. It was a lot of programming, PowerShell script, and other stuff. AWS still is, but I spent most of my life helping organization. kind of shifting in an intelligence way things to the cloud. And the first thing that usually happen is application weren't built in the right way for the cloud. So you build this nice, secure structure for the cloud with the right access control, and then you throw in the first couple of application and everything break loose, and then you start opening everything up. And that's, uh, and that's interesting because it, it kind of pushes you to a trade off, um, but in this story, basically, the more I went into it, the more I started seeing the convergence between, uh, software and cloud into one thing, um, and it probably peaked where I was leading the application security and cloud security for HSBC, where I was trying to bridge the two gaps together, and that's a little bit the origin story of where Phoenix was born, and the whole ASPM category was born, because I was trying to relate to the business overall, what was an application and what, what was that application running and letting them making a decision based on risk metrics and translating a very complicated concept that is fundamentally software running somewhere into very simple things like this is a product. So I think that's, That's my love for product security. That's where product security was born, uh, as an idea to actually paint a picture of what you build, where you run it, and communicating that to the business. That is a very tricky thing to do because you need three vertical into your brain, the business aspect, the security aspect, um, and a little bit development aspect. And it's very, very few people have it nowadays.
Chris Romeo:So you just mentioned something that's, that's, I've asked this question of a number of different guests over the last six months, because this topic keeps coming up. You mentioned application security and you mentioned product security, both in the same. in the same vein. And in your mind, in your definition, what's the difference between application security and product security?
Francesco Cipollone:That's a very good question. A lot of questions. I think application security is still close to pen testing and to the old school software security where product security kind of paint a better picture of how applications are built right now holistically, and it also paints a picture of how you communicate with the business. So I think application security paints an old picture of what we build right now versus product security is more in line with what application security is today. So for me, product security is an evolution of the whole application security where application security was just living in the code or maybe living in pentesting web and API while product security look at the product holistically and then application security just a component of it but also threat modeling but also risk assessment mitigation communicating to the business kind of describe that higher level figure that application security naturally evolved into it.
Chris Romeo:That's helpful. I'm, I'm asking this question of lots of people because I'm, I'm wrestling with it as well. Like what, what's the difference? And so it's good, it's good to just get different perspectives.
Francesco Cipollone:Well, what's the statistic between application security folks, uh, staying on application security versus product security?
Chris Romeo:Yeah, I mean, most, uh, most of the, what I see in the industry right now, it's, it's most people are still holding court with the application security moniker. And, and part of that, I think I, and I see the world kind of that way, but part of it is I came out of Cisco where we were not application security, we were product security because we didn't make app, we made applications, I guess somewhere, but in general, we made products. We made metal boxes that routed packets and things. And so there was never, there was, we never thought of. The code that was running on it as an application. We thought of it as a holistic product to your point there. And so in my mind, that's kind of where I draw the line. It comes down to what are we, what are we selling? So like if I'm in a SAS business. I don't really do product security in my mind. I do application security because it's all about the application. We're not worried
Francesco Cipollone:the application still runs on WAN.
Chris Romeo:of course, but that's just, that's how I separate it. Yeah. That's how I separate it in my mind between, uh, but I think this is an evolving topic. It's an evolving thing that's happening, right? Like it's, it's, we're seeing the industry change and we've had a couple episodes. We had one whole episode that we talked with a couple of folks about the differences between it. And they shared their
Francesco Cipollone:saw that.
Chris Romeo:Inside their company, it broke down and how they've, how they have, they've defined it. So it's definitely a, uh, something, it's something that's going to continue to evolve over the next years.
Francesco Cipollone:And just to throw a spanner in there, there is also platform security now as a term of people that all the infra people that maintains, uh, um, infrastructure container, some level of container and cloud. So you have application security people or product security people and then platform people.
Chris Romeo:and see, I think of that as infrastructure security. That's the moniker that I use for that group. So, yeah, I mean, we've got some different groups in play here and, but it'll all, it'll all settle out.
Robert Hurlbut:So Frank, today we're going to be talking about, uh, what is ASPM or application security posture management? Uh, what is that?
Francesco Cipollone:Good question. Uh, And I think I would add, when is that? Because the definition of ASPM, or as we originally created it with Ghana, was XSPM, or Security Posture Star. Um, that was so wide as a category, uh, or Extended Security Posture Management, we created it at a certain point, we were revolving around that and chasm of, asset management as a broad category. But then I think it kind of evolved into, look, nobody knows what an application is, uh, and there is cloud security, posture management. There is infrastructure security, posture management of vulnerable or risk based vulnerability management. There isn't really a category for what's an application, what is the risk of an application, and. more extensive, where does an application run? And that's where really the term ASPM kind of was born. Now, because there is a whole substratum of organizations that do never had access to enterprise scanning tool like SAST, SCA, and so on. Kind of there was a second stream of ASPM category tools that just throw a bunch of open source tools together, string them along, and start calling them ASPM as well. So I think the category ASPM stuff fracturing. in two elements, organization or platform that orchestrate or scan or bring your own scanner information. Um, and kind of try to add intelligence and decision methods and then organization to just throw a bunch of scanner together. And then there is something in the, in the mix, in the middle. So I think that the ASPM category will evolve once more in the upcoming years of, Organizations that organize and add intelligence are on these assets that could come from different levels, from a cloud perspective, from a people perspective, from a software perspective, and organizations that purely scan, because I think there is a science in both of them, and you can't excel at both of them. That's why we had application security testing, really, where the ASPM, uh, with throwing a bunch of tools together should really land, uh, is, uh, testing, just stuff. And then the new modern things of actually building everything together is ASPM.
Chris Romeo:So do you, let's, let's put the, the, let's go back in history, in time a little bit and have a little bit of a history perspective, because I want to get your take on whether you think ASPM is the new SIEM. And so Robert and I, you'll, people, well, no, people will notice that we have a gray tint to our, our hair, which means we've been around this industry for a long time. And, and so I remember when SIEMS became a thing. Um, I can never remember what they stand for, security incident event management, I think. Um, but they, they, in the information security side of the house, we had a, a, we started deploying all these different firewalls and IDS systems and all these different things that were generating all these alerts and they didn't go anywhere for a time period when they, after they came out. And then somebody had this idea to create this, Correlation engine, where we could bring up, we could point all these devices at this single thing. And then we as incident response people could, could trace this single central point of truth and we could correlate firewalls and IDSs and network routers. And, and we could see it in a single pane of glass to use a funny term that's never really come to fruition. Is ASPM the Application, the modern, is it, does it sit on top of what was developed in the world of SIEM and information security decades ago?
Francesco Cipollone:I think yes, and I think risk based vulnerability management tried to attack that level, but it was kind of laser focus on just risk of specific vulnerability. While ASPM approached this problem because it's a wide problem. Um, into holistically, or if you approach ASPM right, like what we do, is looking at the asset and where they live, and what metadata they have, and then what problem they have, because fundamentally assets are just a bucket of problems. And you can quote me on that because it's my favorite sentence. Um, but that's kind of derived naturally on organizing those assets. uh, understanding who owns them and who drives them because attribution was the thing that was missing in CIEM. You have a bunch of stuff put together, but then so what, what do you do with this? And I think ASPM is great because it brings in the concept of attribution, or at least if you're doing ASPM right, um, you bring the concept of who needs to fix this stuff? Because just having a big data engine with just a bunch of data, um, is information is not inside, it's not actionable, while ASPM, I think, has a chance to take all of this problem, contextualizing, understanding really the nuances, taking the noise out that was something that the CM never did, um, and then routing them, um, to the right team to do some action. And at the same time, I think the element and the thing that we're trying to do is even pushing the boundary forward and saying, how can you involve the business to define the risk position where they want to operate and connect that to the engineering community? And that's, for me, is, is key and pivotal because otherwise it becomes a bucket of information and you can't action that bucket of information. Um, I think that's where the SIEM should have been, but then the problem is that from a SIEM perspective, it went into regulation, and hence the whole category became relaxed because everybody was buying SIEM, and you could charge that model, so there wasn't an incentive to evolve. And it kind of flattened out in the SOC, where the SOC were just saying, well, we need to have a SIEM because that's what a SOC is. Um, while ASPM is really driven by the necessity of, I have a bunch of tools that generate Information, and I have absolutely no clue about even who touched what, where, and should I focus on this or should I focus on that? So, I think yes. Long story short is ASPM is the natural glue between application security, asset management, risk based vulnerability management, and cloud security portion management. Now, if it's going to be absorbing, I don't know if it's going to be absorbing one way or another, like ASPM is going to become the new CSPM, or the CNAP is going to become ASPM plus CSPM, and I'm throwing a bunch of categories, but it's basically, if clouds security posture is going to become full stack security posture, or if the ASPM is going to become application security and cloud. Um, and I'm not even throwing data in that problem, because that's a whole category.
Chris Romeo:I want to, I want to explore another avenue that you've mentioned because you've used the word business a couple times. in your descriptions of things. And I know you've, you've come from a large financial where you have experience doing this in the trenches. And I love to talk to people that have actually been in the trenches before been practitioners running programs and things. Cause I find I learned the most from, from hearing people's experiences, but I'm did, did, where did you, where did this idea about focusing on the business come from? Is this something you experienced in past leadership roles? Uh, where you, because I hear you talk about the business all the time. You're always, you're always bringing that back to the table. Whereas a lot of security people, we tend to forget that there's a business we work for. And they sign our paychecks at the end of the day. And we need to work with them and partner with them. So I guess where, you know, where did you get that, that kind of approach kind of built into how you think?
Francesco Cipollone:Let me tell you a story on how we built a program of one of the largest cloud, a more treacherous cloud transformation in financial service ever. Um, we were, we were basically, we, triaging and dealing with millions of problems. And I had analysts to the, to my neck. We had a platoon of analysts working for me and we're trying to pair them up with engineers. The challenge is The more work we were doing, uh, and even if it was excellent work, first of all, it wasn't appreciated. And second of all, we couldn't steer the discussion from an engineering perspective in any direction because they weren't authorized to actually work on security. Security was a lip service things. We should move to the cloud securely. But what that actually meant is security requirement, threat modeling, fixing vulnerability, that didn't translate to the engineering. So it kind of faded away. And then it was a trend where the business was saying, we need to be secure. and then it kind of faded away. And from an engineering perspective, it's, yes, yes, we let them speak, and then fade away. So there was a translation problem between security and engineering, and engineering security and the business. So we were talking, we were kind of trying to aim for the same things that is making people survive on a digital infrastructure, but kind of not communicating in a synchronous way. And the only way I talked with my CEO, I said, the only way this can work, if the direction comes from top down, but I need to give you the tool to understand. First of all, Where are you sitting? How at risk you are? And then make an intelligence decision based on this information. Because if you don't have these insights and not data, you can't make a decision based on risk. You actually ask the business to express in a way that can't be translated in any way. So, that's what we did. We enabled the pieces to make risk based decisions that actually made sense from an engineering perspective. Not just risk quantification at the high level, not spreadsheet, but what we called GRC engineering. And that resonates with a lot of, some of the more advanced GRC community because you could represent risk in real time based on where the application were and based on where they were running. And then, Enabling the business, not in a generic way, but just literally setting a target, a bar, an OKR, so that they could express, I want to operate at this risk level, I'm comfortable at this risk level, how much work do I need to do to get to that risk level? And getting that message was extremely powerful because they could express, yes, I'm comfortable here, I'm comfortable here, I'm not comfortable here, just go and execute on this target. And then it wasn't a security requirement, was a business requirement, and as a security, we were using the data insights as aggregated and intelligence information to actually accelerate each engineering community to get to that target faster. So we were sitting in sprint call and saying, look, you guys have a problem of input validation. So let's use this particular library because it's going to accelerate. Instead of spending 15 story point on the next sprint, you could spend one story point or five story point upgrading, doing some regression testing, and here's a library. We went from the most hated thing. team in the most organization to actually the more in demand team from every organization because we were helping them achieving a business objective. And that's why I said, look, these things really work. And, and I looked around and there wasn't anything around that could give me that information or any tool that could give me that information. So we created one for us and that's a little bit of the origin story of Phoenix Security. Um, that was the name of the program, by the way. So we actually kept the name of the program. Uh, because it is, is is the logic of rebooting from the ashes of DevOps. So Phoenix security, Rebos from the ashes of DevOps, hence the Phoenix. And they actually, the logos are the GRC element of Phoenix, of, of what you have in our, in all these metrics.
Chris Romeo:I've known you for a while and I've never heard that, I've never heard that story. So that's, that's interesting that, that, that was the company name came from the program name inside. So, um, yeah. Robert, why don't you continue, continue on the, help us continue on the path here.
Robert Hurlbut:Sure. Uh, so one question we wondered about in terms of where, uh, talking further about where this came from is how does SBOM influence this space?
Francesco Cipollone:I think when we started, first of all, it's a great question because I think as bomb. drives to the right business, um, and operational diligence. So it's creating asset information around your software, and I will even take it to the extreme of PBOM. So what, how does all of these assets intercorrelate together, get grouped together, and build a concept of asset lineage? So how do you build these things together, and how those things then evolve in new assets? Um, And that's kind of the concept and the things that we struggle with right now. Thinking about vulnerability instead of thinking about assets that inter correlate with each other and then evolve in other assets. And this is particularly important in the cloud where you think about an infrastructure as a whole that has vulnerabilities inherently because you're scanning for it and then you build it so those artifacts have an inerrant vulnerability in a specific stage, and then you deploy them. So those vulnerabilities that you discover with a CSPM in the cloud actually came all the way from that original asset. And if you think about it, SBOM started because we needed to have due diligence around asset management. It kind of got stopped in there. And I think that's where the role of ASPM can really play a part, because it's like organizing all these, all these, This concept of asset, and SBOM is what I call meta asset. Fundamentally, it's a library that belongs to a specific application, similar to what's installed software you have in infrastructure. So those are kind of meta assets that don't have a life in itself, but still are very important because, um, you need to understand how they are composed with each other because they inherently have vulnerabilities. And I think as long as some unit of entities have a vulnerability, that becomes a meta asset that live inside an asset, that then evolve in another asset. But all about it is asset vulnerability management that have different state and is very complicated. And how do you correlate that to A very simple term that is product is kind of the beauty of ASPM and where ASPM sits, of what you build and where you run it. And translating all this complexity into these beautiful things that is, this is the risk level of your product is where I think it's surprising for a lot of business to see where ASPM is. It's the wow factor of ASPM, I will say.
Chris Romeo:Yeah. So let's, um, let, let's kind of summarize. When we think about the problems that ASPM is supposed to be solving for us, like how do we, how do we break that down into like two or three specific problems that this category of tooling is gonna sur gonna help us with?
Francesco Cipollone:I think if you want to summarize it is ASPM is the future of software security, period. Like, you can't do software security if you don't understand how software is built together, who owns it, and what you're going to do with those problems, and where does that problem lives. Because otherwise, it's guesswork. It's like you hope that you're going to get to the vulnerability that is going to hurt you. But if you absolutely know that You kind of have an intelligence as usual. So ASPM enabled you to, depending on the version of it, my version of ASPM is helps the business understanding their posture of what they build and where they run and help expressing risk based decisions that can be understood by engineers. And those are actionable risk based decisions. So it's not just, I want to be secure. but what that mean in quantitative story point for all of the engineering community and saying, am I trying to be too secure or I'm trying to be less secure? So it's moving the needle of the whole organization forward. And it just started with application security because every organization is a software company around nowadays and a cloud company. So I think it's where the needle and the boundaries right now of innovation is being pushed.
Chris Romeo:So I heard inventory was one big piece, so one of the problems then, if I wanted to just kind of summarize this, right, so one of the big problems that it's going to solve for us is it helps us to inventory assets. that we may not, uh, be able to currently trace ownership of assets, but we may, but it helps us to get that inventory because we're, we're sending our results from multiple tools and things towards the ASPM solution. And so it gives us that traceability and that inventory side, right? And then I guess one of the other things that I think about is it does help us to solve the, just the overall flood of information. Right? Because if we have a SAST tool, if we have an SCA tool, if we have other, other, other technology types that are feeding in, we could end up in a situation where I have a finding in a SAST tool, a finding in an SCA tool, a finding in some other tool that are actually the same problem. So we do get that correlation too, right? That we, that we, we talked about. So that's one of the
Francesco Cipollone:And compounded one and the compounded one. So the single picture of things. So you can see. you can see an application and the riskiness of an application versus the volumetrics of a number of vulnerabilities that a single repository has. So you can evaluate product and the riskiness of a product where, I mean, Ivanti was the perfect case where you see a problem in a vulnerability in an operating system, but as a product, you have so much risk that you're carrying that if you look at the problem holistically, you will say, damn, I need to do something about it. But if you look at the problem atomically, They're kind of not that scary. So I think that's where ASPM could help a lot on painting a global picture of really what a product is. So ASPM is the future of product security.
Robert Hurlbut:All right. Well, one other question we have is, I think it's one we've asked it before for different things, but how does or how will AI impact ASPM?
Francesco Cipollone:Oh boy, that's a lot of questions. Um, I think AI can help. And yeah, I know that LLM can help in a lot of things in ASPM, but point in time solution, point in place solution, it can help kind of grouping things together by looking at patterns of who touch what and kind of grouping those things together and trying to figure out You know, this particular number of people have touched this particular number of files and can be grouped together into a concept of application because understanding the concept of application is really complicated and not a lot of organizations have thought it through, um, what is an application. So sometimes it's challenging and we're solving with AI. On that terms, or understanding and trying to correlate what kind of technology stack you have so that if you are victim of a specific vulnerabilities or problems across the board, you can kind of correlate to a specific technology stack, even if you don't have specific vulnerability that manifests in that. And generally speaking, trying to group things together and correlate things together. The experiment and the thing that I'm hoping that is going to be successful is also trying to chain things together and trying to see if Putting A, B, and C together is actually more risky than fixing one specific thing. So if you can chain a web vulnerability with a library vulnerability, uh, and an operating system vulnerability, and it gets you through the escalation, and lateral movement, or vertical movement where you are. Uh, and you can only do that if you really correlate these things. And I don't know if AI could help in that, but, or attack surface management could help in that. Uh, we're still experimenting with few things, but definitely is promising. And AI could be helpful in there.
Chris Romeo:Yeah, I could see the kind of the pattern matching summarization capabilities of Gen AI being something that would help. Um, I think one of the, I think one of the, the, the challenges that's going to exist with ASPM, I'm seeing this challenge in other places in regards to AI, and I, I was, was working recently with an AI engineer. who's a, uh, Ph. D. student at a local university. And I took him through a particular scenario where there was an existing algorithm that was providing a, an output for me. And I was thinking, uh, wouldn't that be cool if Gen AI, if I could use Gen AI to somehow enhance this algorithm? And his answer was, uh, I'm an AI, AI engineer. It's not gonna, you're not, AI's not gonna get you a better result.
Francesco Cipollone:No.
Chris Romeo:And so I think that'll be one of the interesting challenges with ASPM is if you try to AI fify it, I think I just made up a word, probably not the first person to use it, but if you try to AI fify the an ASPM solution, is it actually better than. ASPM that just had a solid algorithm written by a human that is able to process the data in a certain way. So I think time will tell as far as whether that'll be whether that'll be a thing or not.
Francesco Cipollone:I think AI in general, maybe not, or LLM in general, maybe not. A chatbot that helps you explain things or group things together or identify things together. Maybe call help instead of just generating the SLA. the queries that traditionally you do, uh, that can be probably maybe helpful, but a point in time solution that will help from an AI perspective kind of paint a better picture or accelerate what you're already doing, but at scale, like asking questions to an ASPM that has that concept or context. But you need to build that context before and AI could help in building that context by identifying pattern or by suggesting as well Pattern of resolution like you might not know that you have 15 things that have log4j and that could be a campaign That's what we called AI based campaign to actually identify for you the things where you could invest biggest bang for bucks because it's a consistent piece of work that enables you to focus on unit of work that's, um, are more consistent. So it's going beyond just fixing a problem, but actually how can I be more impactful as a security team and help my engineering team focus on one thing so they leave us the biggest bang for buck?
Chris Romeo:All right, cool. Robert, why don't you take us into the lightning round here where we have just a quick, uh, Just a quick kind of, uh, set of questions to, uh, for you to answer off the cuff. Boo!
Robert Hurlbut:Frank, we have three questions. One is more of a controversy, but what is your most controversial opinion on application security and why do you hold that view?
Francesco Cipollone:Well, that application, application security is dead and product security is the only thing that matters now.
Chris Romeo:Sorry, I couldn't resist.
Robert Hurlbut:I think we knew that was coming.
Chris Romeo:We already heard, we already heard how, why you hold that view.
Robert Hurlbut:All right. Uh, our second question is, uh, what would it say if you could display a single message on a billboard at the RSA or Black Hat conference?
Francesco Cipollone:Just do asset management, just do asset management, like go back to the basics, like, uh, we're trying to solve all of it, um, with more scanner, but honestly, just go back to the basic of like, uh, What's an application? How to correlate things together? Who owns what? Where? Asking those questions can get you so much further away Than just saying well, I'm gonna scan some other stuff and I'm gonna have some other problems and it's not cool It's not sexy, but just do the groundwork We've seen it done It gets you with a month, uh, miles further away from your mature in your maturity model.
Robert Hurlbut:And the last question is, what's your top book recommendation and why do you find it valuable?
Francesco Cipollone:Oh boy. Um, I would say the latest book from Ross Holiuk and about, um, if you haven't read it, as a first or second time founder, Uh, I wish I had that book because it covers how to build security company and all the pitfalls that a security company, uh, have and have been, uh, through. Um, and then I have several others on application security, but I think that if I need to choose one, Uh, it will be that one because it's the one that impressed me the most. Uh, and I wish I had that book when I started.
Chris Romeo:Very cool. So, Frank, we always like to leave our audience with a key takeaway or a call to action. And so what would you like to leave our audience with?
Francesco Cipollone:I think understand how your organization works and start thinking about application security, not just as a security and development problem, but as a business problem and how to bring the business in, because we're trying to, we're trying to solve a problem between security and development. And I think we've reached to the limit of things that we can solve alone and we shouldn't solve it alone. And the SEC have. given us the mandate that security shouldn't take in his hands risk, but the business should own the risk and security should paint that picture of risk and give them actionable next steps. So if I need to leave, everybody is start talking with your business more, but in the terms that they understand, not just saying you have critical vulnerability, but as you have a risk position on your most critical application, and this is how you can get it done.
Chris Romeo:Yeah, that's really good advice. I love, I love you came back around and landed on our discussion about the business and the interactions with them. So Frank, thanks for, uh, being a part of the application security podcast. We wish you best of luck with Phoenix security and look forward to continuing our conversation into the future.
Francesco Cipollone:Brilliant. Chris, Robert, thank you so much and everybody stay safe out there. Goodbye.