LeanAppSec

Threat modeling can help, but it’s often time-consuming, heavy on documentation, and easy to skip when deadlines loom. At Relativity, Raphael Theberge (Director of Security Enablement) shared a simple but effective approach: - At the inception of any new product or feature, teams are required to answer a set of questions outlining the security impact. - That gets sent to the security team for review and discussion—early enough to influence design. - It brings visibility, includes the right stakeholders, and helps catch issues while they’re still cheap to fix. No lengthy reports. Just the right conversations at the right time. How are you making security part of the design process without slowing dev teams down? Let us know in the comments. https://lnkd.in/gn4pKYZe #SecureByDesign #ThreatModeling #AppSec #DevSecOps

?? I'm hiring! It's an exciting time at Netflix and we're looking for an experienced Security Engineer to work alongside our platform teams to enhance security and enable the business. ?? Using your engineering skills and security knowledge, you'll play a big role in how our systems are built and how we manage risk. We'd love to find someone who is proactive and adaptable, can work well with people from different areas of expertise, and fosters a strong and inclusive security team. ?? Check out the link for more specific detail on what kind of experience we're looking for - we encourage you to apply even if you don't meet every single one of the listed criteria. We value the unique perspectives, skills, and experiences each candidate brings with them. https://lnkd.in/em_MTE_j

How do you communicate the complexity, churn, and challenges of a modern AppSec program in a way that actually resonates with stakeholders? Historically, we’ve relied on vulnerability counts. How many issues a scanner found. But in today’s fast-paced, agile development pipelines, that approach just won’t cut it. It’s seen as friction, not value. Sri Manda, Chief Security and Trust Officer at Peloton Interactive says metrics need to evolve. They should: ?? Contextualize risk – Why does this severity matter? Reachability? Exploitability? Exposure? ?? Prioritize impact – Track vulnerability density (issues per 100-500 lines of code) to measure security lag. ?? Reduce MTTR for developers – Speed matters, but so does fixing the right issues faster. What’s one metric you think would actually help drive better security outcomes? https://lnkd.in/g393_tma #AppSec #DecSecOps #MTTR #EngineeringMetrics

At Series A, security is a balancing act. You move fast. You’re resource-constrained. You have to pick your battles. One approach? Prioritize compliance to unlock deals with bigger customers. For many early-stage startups, frameworks like PCI or even FedRAMP aren’t just checkboxes, they’re trust signals that drive revenue. We’ve seen this firsthand with Grip Security. As a security company, they understand the importance of building trust early. Their security program doesn’t just align with compliance, it uses it as a foundation for growth. When your team is still small, you have a unique advantage: you know your engineers. You can build security into your culture before silos form. If you were leading AppSec at a Series A startup, what would be your first move? Drop your thoughts in the comments. #AppSec #SeriesA #DevSecOps #Cybersecurity

AI-generated code is everywhere, but is it actually making engineering better, or just faster? Steve Wilson pointed out something interesting: code duplication in repositories has skyrocketed. Unlike human developers who refactor and reuse, LLMs tend to generate new (and often redundant) code every time. That’s technical debt on autopilot. In 12–24 months, AI coding assistants might start optimizing for maintainability and reuse. But right now? They’re built for speed, not sustainability. Are you seeing this play out in your own projects? How are you managing AI-generated technical debt? Let us know in the comments! #GenAI #AppSec #AIAppSecRisk #LLMs

Too often, security teams hold all the keys when it comes to exceptions, which just slows everything down. But the reality is, product and engineering teams have the best context to make smart risk decisions. So instead of security being the bottleneck, why not shift that decision-making closer to the teams that actually know what’s going on? Give them clear policies, the right guardrails, and let them take ownership—without compromising security. More about Raphael Theberge's 'Blocking with Confidence' Program at Relativity here: https://lnkd.in/gdnpvahm #AppSec #ExceptionHandling #cybersecurity #DevSecOps

Moveworks is Hiring: Senior Application Security Engineer II Moveworks is looking for a Senior AppSec Engineer to lead security efforts for their AI infrastructure, platform, and features. If you have experience in AppSec, Golang/Python experience, and an interest in LLM security, this could be a great opportunity for you! Apply here: https://lnkd.in/gydzJrAA #Hiring #AppSec #AI #SecurityEngineering #Moveworks

What does "lean" really mean in LeanAppSec? It's not just about doing more with less. As Jenn Gile explains, LeanAppSec is about applying lean manufacturing principles to AppSec, eliminating waste and maximizing impact. LeanAppSec sessions aim to help you: ?? Focus on real risks by mapping AppSec activities to business value ?? Create flow states with clean, efficient processes ?? Implement pull-based systems to integrate security seamlessly into the SDLC If you've implemented lean principles within your AppSec teams, and want to share your story with the community, type 'Yes' in the comments and we'll reach out to you. You could help others learn from your experience. https://lnkd.in/gmRDZb46 #LeanAppSec #AppSec #DevSec #SecOps #DevSecOps

We'll be live soon! See you there!

Giving developers standardized and clear security information at the right time pays off. This helps them focus on high priority, high value targets. At Relativity, Raphael Theberge and his team made it easier for their developers to make informed security decisions by standardizing guidance and automating validation. The result? Developers focus on high-priority risks, and security decisions become measurable in a way that makes sense—even to the business side. In this session, Raphael will share: ? How to confirm when a risk is okay to accept ? When to step in to ensure a risk is properly remediated ? How to create org-wide accountability for product security Join us to learn how AppSec can help developers make the right security decisions—without extra friction. https://lnkd.in/grXNXdPN #AppSec #DevSecOps #cybersecurity #LeanAppSec