The fourth, and final, interview in our 2016 National Cyber Security Awareness Month series is with Josh Feinblum, the VP of Information Security at Rapid7. In this series, we have gotten tips for accelerating application security with Dan Cornell of the Denim Group, received insights about managing open source security with Rami Sass of WhiteSource and learned about the importance of security awareness training with Checkmarx’s own founder and CTO Maty Siman.
In his role as VP of Information Security, Josh helps Rapid7 constantly improve their ability to manage risk and protect assets. Rapid7’s sophisticated security products, solutions and services help thousands of organizations to reduce vulnerabilities and exposures while finding and stopping attacks.
Secure Software Development Tips Josh Feinblum
Checkmarx: What was your first coding language? Why?
Josh Feinblum: QBasic, because I wanted to cheat at Nibbles. Once I got into the workplace, I found myself working with a bunch of Bash, converting it to Perl, and then on to Python!
Checkmarx: Mac or PC?
Josh Feinblum: Depends what I’m doing. When coding or pen-testing, all Mac.
What are two things about your role as a VP of Information Security that you are the most passionate about?
(1) Watching a program come together from nothing but a vision to a real operation; and
(2) Building a strong and innovative team.
Checkmarx: What advice do you have for developers who want to increase security in their code?
Josh Feinblum: Care about it. As silly as it sounds, if a good engineer cares about secure code, they’ll get better at it over time.
Checkmarx: Based on your experience, what recommendations do you have for security teams who want to work better with developers?
Josh Feinblum: Always remember, “No one is the villain in their own movie.” Developers have often impossible deadlines, and everything a security team asks of them makes them even more difficult. Good AppSec teams should be able to look at code and figure out if a problem exists, and perhaps even propose the fix for an engineer to run through a code review. That said, security teams need to learn how to communicate more effectively with developers – use their language, help them understand the issues.
Checkmarx: Moving forward to 2017, what advice would you have for organizations who are looking to grow and scale their security?
Josh Feinblum: Be enablers of the business, not a roadblock, and use what other companies do as data points, not guide books. We frequently over-rely on outdated technologies and approaches, because that’s “how it’s always been done.” Look to the past for reference, but don’t be afraid to carve your own path.
Checkmarx’s theme for National Cyber Security Awareness Month 2016 is “Developers Vote Security.” As more and more organizations across all verticals speed up their development and adopt DevOps, the responsibility of security is “shifting left” and falling into the hands of the developers during the development stages of the SDLC as the windows for security testing in the later stages continue to shrink. These interviews are a key part of the content that Checkmarx is sharing in order to empower and educate developers about secure development best practices.
Join Checkmarx’s joint webinar with Rapid7 Incorporating AppSec from the Start: How SAST and DAST Work Together