This week, I was fortunate to have a chance to interview Alyssa Miller, Application Security Specialist at computer and network security firm Snyk and security evangelist. She had a great deal of insight about how application security can improve, and how the human side of information technology can evolve as a whole.
KIM CRAWLEY: What have you been working on lately?
ALYSSA MILLER: Professionally, I just started a new job. It's bringing me back to application security, which is where I started in security. As a former developer, application security has always been my primary focus. In this new role, I'm officially an advocate, meaning my sole responsibility is evangelizing application security through online content, media, and public speaking. I’m really focusing on being identifiable in our industry and bringing content and ideas that are useful and helpful to the community and IT industry as a whole.
KIM: How did you catch the application security bug in the first place?
ALYSSA: Almost by accident really. I was a developer for about a decade, most of which was spent in a large FinTech company. I was approached one day by a manager from our Information Security team. She asked me if I'd like to join the Security Test Team which was responsible for all vulnerability scanning, penetration testing, and vulnerability management.
KIM: How can we encourage more people to enter our field who aren't cisgender men? And how do we convince HR that it's important?
ALYSSA: The business world has slowly come to understand the value of diversity. Business runs on the bottom line. Mature businesses understand that diversity is necessary and brings a material value in terms of bottom line performance. We need to continue to leverage that. However, we also need to understand that diversity only is achievable and sustainable when we have inclusion. Inclusion means having a culture where everyone feels comfortable, they feel that their abilities and contributions are truly valued by those around them, and they feel empowered to use their skills, talents, ideas in a way that is consistent with their own authentic selves.
When we feel like we have to put on an act or hide something about ourselves from our colleagues and management, it causes stress that hurts our work performance. Our efforts are no longer focused on the job tasks, but rather our focus is split between doing the task and how to do it in such a way that we don't expose that “secret” or we live up to some arbitrary expectation of what we should be.
KIM: How might DevSecOps differ from application security in general? I've written about the DevOps lifecycle before.
ALYSSA: To me, application security is just an overarching concept. It applies to how we install and use applications in addition to how we develop them. Obviously DevSecOps is focused on secure development of software, which is crucial to the overall concept of application security.
KIM: Do you have any advice for people who want to enter the application security field?
ALYSSA: My advice is to spend some time working with or in a development team. There is a true need for empathy in this space. You need to understand what it's like to be in their shoes, the problems they face, the conflicting priorities they see. And of course, you need to be able to communicate in terms that are meaningful to them.
KIM: Where do you see application security going from here?
ALYSSA: What's old is new again, push left. But the technology is changing. We see things like serverless architecture and Infrastructure-as-Code where more aspects of the security posture fall on the development side. This is where DevOps and truly DevSecOps will be most challenged for years to come. It's why a true DevSecOps approach is no longer just a goal, it's a necessity. We need that integrated expertise of our Development, Security, and Operations functions working toward the common goal of secure deployment.
I also think you're going to see another addition to that. Call it BizDevSecOps. The business needs to be a part of this equation as well. We talked before about the diversity of thought and how important that is. The business side of things brings important perspective that we need to have early on in the development lifecycle.
ALYSSA: Ha! I know right? The reality is it's just a way to describe the larger motion of making security a part of everyone's responsibility throughout the organization.
I really enjoyed my conversation with Alyssa. The field of application security will certainly continue to benefit from her guidance.
About Alyssa Miller
Alyssa Miller (@AlyssaM_InfoSec) has a passion for security which she evangelizes to business leaders and industry audiences both through her work as a cybersecurity professional and through her various public speaking engagements. Her goal is to change the way we look at the security of our interconnected way of life and focus attention on defending privacy and upholding trust.
Alyssa has always had a driving curiosity to understand how technology works and how existing technologies can be hacked to function in new ways. Her passion for security quickly shaped her career as she moved into a leadership role within the ethical hacking team, conducting penetration testing and application assessments along with her team. With her programming background, Alyssa was able to focus her efforts on Application Security.
Today, Alyssa leads the Information Security Solutions practice for Snyk. She continues to work with executive and senior business leaders on developing comprehensive enterprise security programs. Additionally, she evangelizes her message about evolving the way people think about and approach security, privacy and trust through speaking engagements at various conferences and other events.