In this On Location episode, Sean Martin chats with Francesco Cipollone, Co-founder and CEO of Phoenix Security, about the evolving landscape of application security and the role of AI in tackling persistent vulnerabilities. They explore effective strategies for enhancing security maturity and fostering collaboration between security and development teams, offering valuable insights and practical advice.
In this episode of the On Location, host Sean Martin engages in an insightful conversation with Francesco Cipollone, Co-founder and CEO of Phoenix Security, at the OWASP AppSec Global conference in Lisbon. They delve into the evolving landscape of application security, focusing on the pressing challenges and innovative solutions that are shaping the industry today.
The discussion begins by exploring the potential and pitfalls of artificial intelligence (AI) in cybersecurity. Francesco highlights the dual role of AI as both a tool and a target within security frameworks. He emphasizes the importance of proper prompt engineering and specialized training data to avoid common issues, such as AI-generated libraries that don't actually exist. This leads to a broader conversation about how Phoenix Security utilizes AI to intelligently categorize and prioritize vulnerabilities, allowing security teams to focus on the most critical issues.
The conversation then shifts to the concept of maturity models in vulnerability management. Francesco explains that many organizations are still struggling with basic security tasks and describes how Phoenix Security helps these organizations to quickly enhance their maturity levels. This involves automating the scanning process, aggregating data, and providing clear metrics that align security efforts with executive expectations.
A significant portion of the episode is dedicated to the importance of collaboration and communication between security and development teams. Francesco stresses that security should be integrated into the spring planning process, helping developers to prioritize tasks in a way that aligns with overall risk management strategies. This approach fosters a culture of cooperation and ensures that security initiatives are seen as a valuable part of the development cycle, rather than a hindrance.
Francesco also touches on the role of management in security practices, underscoring the need for aligning business expectations with engineering practices. He introduces the vulnerability maturity model that Phoenix Security uses to help organizations mature their security programs effectively. This model, which maps back to established OWASP frameworks, provides a clear path for organizations to improve their security posture systematically.
The episode concludes with Francesco reflecting on the persistent basic security issues that organizations face and expressing optimism about the future. He is confident that Phoenix Security's approach can help businesses intelligently address these challenges and scale their security practices effectively.
Learn more about Phoenix Security: https://itspm.ag/phoenix-security-sx8v
Note: This story contains promotional content. Learn more.
Guest: Francesco Cipollone, CEO & Founder at Phoenix Security [@sec_phoenix]
On LinkedIn | https://www.linkedin.com/in/fracipo/
On Twitter | https://twitter.com/FrankSEC42
Resources
Learn more and catch more stories from Phoenix Security: https://www.itspmagazine.com/directory/phoenix-security
View all of our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Is Your App Security Culture Leaving Out the Basics? | A Brand Story Conversation From OWASP AppSec Global Lisbon 2024 | A Phoenix Security Story with Francesco Cipollone | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new on location episode. I'm coming to you from OWASP app set global in Lisbon. I'm joined by Francesco. How are you, Francesco? Very good. Very good. Sean. Good to see you again. It's been only a few weeks. We saw each other in London for InfoSec. Lots of traveling, lots of conference, high gear.
I know. And you've been busy. I mean, uh, you had great traffic. And I've seen the booth today, a lot of people coming by to talk to you, which is really cool.
Francesco Cipollone: Yeah.
Sean Martin: And, uh, you're doing a book signing with, with Mr. Showstack as well, which is cool.
Francesco Cipollone: Yeah, we did. We did our book shows that book and yeah, it's great.
Great conference. I'll also talk about AI. Um, you know, AI is great. Uh, very exciting. What you could potentially do. But from the floor, we hear still, we still hear the same basic stuff. Like, you know, people are still struggling to do threat [00:01:00] modeling. People are still struggling to do, um, vulnerability prioritization, uh, taking the vulnerability to the right team, scanning stuff, what do they need to do first, like really the basic, like AppSec is great, but it's still a problem of like, what do I do next?
Or how do I develop an application security program?
Sean Martin: And so there's two parts there, right? So there's, we want to, we want to, well, maybe it's three parts. We want to embrace AI. We want to control AI, which may be two things in parallel or in concert. And then there's, we want to utilize it. those other two things.
Francesco Cipollone: Yeah. So it's how bucketed in using AI securely and using AI for security when you can use it. Like, how do you write the policy for AI, but also where AI is [00:02:00] applicable? Like I spent a lot of time talking with a few of my friends that are really into AI and AI modeling. We do a lot of. AI classification, generation, not purely LLM, like LLM is the latest cool kid around the block that seems to solve all the problems in the world.
But LLM must still develop with very generic training data. And we were discussing with our good friend, Jim Manigault, if you throw code at an LLM without a proper prompt engineering, it will invent library that you don't have. And you can fix, uh, with version that you don't exist that don't exist. So I think In cyber security, we're still trying to find the silver bullet that solves all the problem because we don't want to admit that we need to do, go back and doing the basic stuff right, you know, knowing which team does what, where, attributing the right problem to the right team and then maybe start doing fancy [00:03:00] stuff like we do with Phoenix security, um, understanding the category of issues or what's inside a specific vulnerability, how you can group together a bunch of vulnerability, using our AI model and understanding what's more fixable and what's the biggest bang for bucks that you can deliver.
Those are really cool use of AI, but still on the pin, the basics that we document very well in the book that we recently wrote.
Sean Martin: And let's get to the book in a second, but I want you to articulate the, cause I think we touched on this briefly in the last chat we had, but I want to spend maybe another minute on it here because if you have, I don't know, 50 apps or something, and they all have the same vulnerability.
What do you focus? Yeah. Which one do you focus on or do you fix one of them? So describe what you just, you just told me about intelligently categorizing, [00:04:00] prioritizing, assigning all of that. Describe that process. Yeah.
Francesco Cipollone: Normally in an organization, you start with a whole bunch of problems that are all flat.
Um, all the teams that are looking at the same backlog of. I don't know, 1000, 2000, 3000 problems. Maybe 500 of those are critical. Where do you even start in that? And what usually happens is security team just throw a bunch of problems to every team and say, go and find your problems in this big pile of lists and, and just work through it.
And work through it and try to find this. And by the way, do it in three days and doing and fixing upgrade and a spring boot upgrade is not the same as a bumping up a library from one minor versions to the other. So SLAs are kind of dead, but they still rely on the fact that. Um, me as a team, I need to look at a bunch of problems that belongs just to me, and that's a really hard problem to [00:05:00] solve.
And that's some of the stuff that we saw with Phoenix to actually help organization automatically and programmatically group things together by looking at different pattern of things, uh, that we solve. It's still the basics. It's still attribution of the right teams to the right organization. Because then after that you can do the other fancy stuff with Phoenix, like assigning business criticality, understanding how much money is costing you from a risk perspective, so associating the risk.
from a risk perspective to the monetary value of how much a risk is your particular application. That's the whole fancy stuff, but still underpin a lot of the basic stuff that gets and helps security team scaling. Because right now, all of this is done by security team or by development team. So it's an enormous waste of efforts of really expensive resources.
Sean Martin: Yeah. Yeah. Shoving stuff over the fence back and forth as well. Um, so let's talk about the [00:06:00] book now, because I presume in the book you talk through the right way to think about this. Which, I'm going to go out on a limb and guess that security and developer teams need to rethink. How they approach this problem.
Francesco Cipollone: Absolutely. But we're missing, you're missing one aspect that is the management. So we keep on talking about shift left and shift right. We talk about shift everywhere. So shift up and shift down and do the dance around. Do the hokey pokey. Exactly. But jokes aside, connecting business expectation to engineering practice around security, translating a risk objective.
into action for engineers and moving away from SLA into this method of works help security engineers as well, suggesting how can you achieve your target faster and better by jumping on objective. They're not security [00:07:00] objective, their business objective about security. But until we translate that message of you have 10, 000 vulnerability on your particular application that your application team or your development team maintains is exposing the organization for, I don't know, 10 millions out of a hundred millions.
And because you have X amount of vulnerabilities, you're not going to be able to act or scale any application security problem. And that's what we saw with a book. We have, uh, what we call a vulnerability maturity model that we map back to DSUM and SAM from OS project. So that, uh, first of all, the model can collaborate and interoperate.
But second of all, you know how to mature a program of work by vertical. And what that means is you can be more very mature in, in scanning stuff, but you're very mature in how you attribute things to the right team or how you measure things. So you can move the dials in different [00:08:00] direction, in different pillars of the framework so that you can mature all of the aspect organically or inorganically of your, uh, program.
But a lot of the program. That we see and we saw in the past is okay. You are in this step now You need to move in this step. You need to do this 50 list of things and that's not how organization mature
Sean Martin: and So yeah, I love this because I mean it's a it's a result of Disclosure CVEs, right? It it's all just lists.
Yeah, right and so
Francesco Cipollone: it's not just one list You have software security, you have container security, you have cloud security, you have threat monitoring, you have pentesting, you have bug bunting, you have 15 lists that are correlated in different ways and not all the organizations work in the same way. Some organizations work with an upsec team, they look at part of this problem and a pentest team, they look at another part of this problem and an operation team, they look at another part of this [00:09:00] problem.
As an attacker, I don't care about the business politics. I care about, look, I can enter here and then escalate. with, uh, you know, breaching memory limits or escalating my authentication and getting to the OS and from the OS I can get into the application because maybe the application is weak in term of containerizing memory management.
And, um, that's some other stuff that we published in the books about what are the patterns and the trendings that you can fix that attacker are actually using and leveraging to develop, uh, things for the masses because from an attacker perspective is also. It's a software development shop. They need to choose the things that have the largest attack surface so that when they build an attacker tools, it covers and hit the most of the organization because it's very rare that you're going to have a software team that develops something very, very specifically for them, unless you're Microsoft and the other place are Russia or some other very well known ATP.
That really need to achieve something specific. But [00:10:00] right now it's a software development shop because organizational complex, but vulnerability is still very simple.
Sean Martin: So through Phoenix, you, you can provide that, that intelligent view.
Francesco Cipollone: We can provide organizational view. We can provide the graph of knowledge between your application and where they run.
And offer developer teams exactly the list of things that they need to look at in a prioritized contextualized way, but also in line with the risk expectation of executive. So as an executive, you can say, this is my baseline of risk, and this is where I want my organization to go. And then each application owner and each development team has a list of prioritized things that they need to address in line with executive expectations.
So don't fix all the CV, Fix only the more important CVE that are exploitable and the one that are actually in line with the executive expectation.
Sean Martin: So how, how does somebody who has the book [00:11:00] utilize the book to Achievement the maturity that you're just
Francesco Cipollone: Well with Phoenix, we actually take you back. We take you in a fast track of maturity So we take you from having no scanners No data No visibility to actually already to level three and level four of the maturity model where we accelerate your scanning solution We accelerate aggregation contextualization and the measurement that you can use.
So It's a fast track way to, um, to higher maturity. Otherwise you start developing your scanning methodology. Then you start developing your aggregation and prioritization methodology. And then the metrics that really matter. So you can move kind of dials from the less maturity that is maturity number zero to the most maturity that is maturity number five.
Sean Martin: Are there, are there organizations that are over mature?
Francesco Cipollone: There are organizations that are very mature from, for example, gating perspective. So they scan everything and they gate things. Um, but they're not [00:12:00] very mature about how they communicate that effort. So from an executive perspective, they don't see the value of that, uh, maturity.
And that happens that if an executive change, that program will get deleted or it's difficult to maintain. So I never seen an organization that is over mature. Uh, on all of the aspects, but maybe very much on one aspect and then lacking on the others.
Sean Martin: Yeah. Cause I, I'm picturing it as either levers or dials or something, and if
Francesco Cipollone: it's boxes that you move around on a vertical,
Sean Martin: if I have every bit of intelligence, every, every list that you were describing earlier, and I just overload my team and have no view of the rest of the models and I'm in, I'm in bad shape.
Francesco Cipollone: Yeah. And if you overload your teams, chances are they will not talk to you. Not do anything, but instead if you drip feed 20 vulnerability on a weekly basis, then the chances of them operationalizing and fixing and [00:13:00] consistently reducing your attack surface is much higher. And we've seen from data that the probability of expedition of organization that consistently reduce their external attack surface all the way to the internal one is very unlikely that they will get targeted.
There is still the chance that they will get targeted, but they will. They have their neighbors that don't reduce their attack surface fast enough. So why attack you?
Sean Martin: It's
Francesco Cipollone: always being faster than your neighbor. And I'm not suggesting to attack your neighbor, but
Sean Martin: So another, another topic that's come up, uh, here at OWASP, uh, is the, the concept or the topic of culture.
And so we just talked about briefly about, uh, overwhelming the team, um, It's how does what you do kind of help [00:14:00] establish and improve the culture? Because you talked about SLAs and they're being unrealistic and different things require different times and different research. It can be very confusing and hard to measure.
Which then could be a bit of a bummer if you're a developer, right? Because you don't know, am I doing the right thing in the right way, in the right order?
Francesco Cipollone: It's not rewarding. SLA are not rewarding. It's just a stick that security team used to use because they didn't know any better. Um, and it doesn't align with how, first of all, engineers think and schedule their work.
Um, In a spring planning mode, you don't look at SLA, you look at the number of things that you need to solve in the next week. And you don't look at them from a software perspective and then you lock in 15 other tools. Developers have their Kanban boards on Jira, on all of their backlog tools. They look at which, which thing do we need to prioritize.
If we don't work in that way, chances are, That security will never get into the [00:15:00] line of priority for engineering, but as well, if we open 2000 tickets, all of those tickets will go in the backlog and chances are that they will never get looked at. But if you build a culture of collaboration where security comes into the spring planning and say, look, you have 20 tickets to be resolved.
You have 50 other In the backlog, but if you focus on this particular library, on this particular upgrade, on this particular things, you actually can reduce your risk level the most. And that's rewarding because it's security coming into a sprint planning, helping engineers achieving that target faster and all everybody wins.
Security wins because they are reducing consistently the attack surface. They're spending. An hour of that time, half an hour of the time creating value for the engineering community and creating a strong bond so that from a security champion perspective, the security champion is not the guy that goes into the list of problems and go and fix all of the problem.
And nobody want to do an [00:16:00] extra job for no pay, right? So security can come in and help and build a strong security cultures. And then with all of the data that we provide, for example, with Phoenix, security team can look at the patterns that each team are doing and performing and maybe customized training, customized security champion program, customized threat modeling so that they can really work on the issues that Not in general, but on that particular moment in time, the team are facing and delivering value, but it's a data driven decision methodology that if you don't have that data, unfortunately you guess and you provide generic input and from generic input you get no answer.
Sean Martin: Yeah, or you second guess and have to re make decisions over and over and over.
Francesco Cipollone: Yeah, I'll probably make decision on the wrong stuff. Like if you provide training on cross head scripting. And the team is working on, uh, more, more than languages. What's the point? It's like, you're trying to secure something that doesn't exist anymore.[00:17:00]
Sean Martin: Uh, it's incredible. It's incredible. Well, Francesco, it's been, uh, it's been great catching up with you. Uh, is there anything else that you, you picked up on, uh, here at the conference you want to share before we wrap?
Francesco Cipollone: Yeah. I'm still surprised that we still work on the basic and basic stuff, but also I'm glad that with Phoenix, we can.
Um, help organization with our knowledge on how to fix those basic things and how to mature step by step,
Sean Martin: intelligently focused
and scale
the basics. I love it. All right, Francesco. Thank you so much. Uh, have a great rest of the conference here. Oh, awesome. AppSec in Lisbon. And, uh, thanks everybody for listening.
Francesco Cipollone: Thank you very much. Enjoy and stay safe. Goodbye.