• Cloud Control
  • Posts
  • John Poulin on Elevating Application Security in the Age of AI

John Poulin on Elevating Application Security in the Age of AI

John Poulin on Elevating Application Security in the Age of AI

Hi everyone 🚀

This week we’re diving into a topic that’s reshaping the landscape of application security: the integration of artificial intelligence. I’m thrilled to bring you an exclusive interview with John Poulin, the CTO of Cloud Security Partners, who has been at the forefront of using AI to enhance security protocols.

John brings a wealth of knowledge and experience to the table, particularly in how AI can be leveraged to not only detect but also predict security vulnerabilities before they become threats. His approach to application security, especially in the realm of software development, provides invaluable insights for anyone looking to strengthen their security posture.

In our discussion, John shares his journey through the evolution of security practices, from the early days of combating SQL injections to today’s sophisticated AI-driven defenses. His passion for educating and implementing secure coding practices shines through as he details how Cloud Security Partners is making major advancements in the field.

Stay tuned, learn a lot, and as always, let’s keep pushing the boundaries of what’s possible in cybersecurity together.

Cheers,

Ian

P.S.S. We're hosting a roundtable TODAY as part of New York Tech Week. Myself and other cyber & cloud security founders will be discussing how growth-stage companies can harness AI to scale their organization securely. Expect an exciting roundtable, the opportunity to meet others in the space, and of course - drinks. Register here to save your spot.

John Poulin, Chief Technology Officer at Cloud Security Partners

Question 1 đź’­

John, welcome to Cloud Control. To get started, could you share why you decided to specialize in application security within software development? What about that space is most exciting to you now?

Answer 1 🎯

I started developing an interest in application security at a very young age. Since high school I knew that I wanted to focus on application security, I just didn’t know it had a proper name at that time. Shifting back nearly 20 years, SQL Injection was everywhere, and there was constant risk of an organization's data being exposed. This was extremely interesting to me as a student, and helped really shape my interest in “learning how to hack.” Helping organizations detect and mitigate vulnerabilities in products well before bug bounties existed - It really felt like the wild west.

These days things have changed. SQL Injection is far less common. AI and ML, however, still feel like the wild west. I like to spend my time working with clients on secure design patterns, to help identify issues early into the process. In fact, I really enjoy teaching Defense-in-Depth engineering training and workshops  where we talk through many of these principles. Many of the ideas we talk about are extremely obvious, but something you just need to hear someone say before it clicks.

âťť

Regardless of organization size, focusing on establishing secure coding requirements and processes early on will enable the development of a strong application security program.

John Poulin

Question 2 đź’­

You have experience in both large corporations and nimble startups. What are some of the unique application security challenges each type of organization faces? What’s different versus the same in your approach to each?

Answer 2 🎯

A lot of the challenges differ between organizations based on engineering velocity and technology investment. For instance, an organization that paves engineering paths that permit a very limited set of languages/frameworks/tools will be more reasonable to secure than an organization that has a significant amount of sprawl. 

Regardless of organization size, focusing on establishing secure coding requirements and processes early on will enable the development of a strong application security program. Incidents and investigations will happen, prepare for them and be sure to utilize them as a learning opportunity.

Question 3 đź’­

Secure code reviews and threat modeling are right up your alley.Tell us about common pitfalls that teams often find themselves in. What are your pro tips for avoiding them?

Answer 3 🎯

Too often teams get hung up trying to perfect Threat Modeling and design reviews, and thus end up never executing them at all. Methodologies can be super helpful, and they’re going to evolve, but you don’t need one to get started. 

At the end of the day, especially with smaller organizations that may not have ever participated in a threat modeling session, just dive in and have a discussion. Focus on understanding what the system is trying to accomplish, and then start to think about what problems there could be. From there, understand what techniques you could take to solve the problem. You don’t need to be too focused on the output yet. I’ve seen threat models conducted on whiteboards and captured with photographs. Anything works, especially initially. Take a few days to think about the discussion, and come back to it. If you’re threat modeling in 1-hour, and never circling back to iterate, it’s going to be incomplete.

Same with code. When introduced to a new language/framework don’t feel shy - just dig into the code and start to understand the structure of the code. Where are configuration settings declared? How does the application route requests? These two questions will really help you understand how to decipher new frameworks. Once you start to identify patterns, utilize tools to help surface those. One of my favorite tools to use during code review is simply just grep.

Question 4 đź’­

In your time leading tech at Cloud Security Partners, you’ve seen a lot of projects from start to finish. Could you share a story about a project that really pushed the envelope in application security and what it taught you?

Answer 4 🎯

Utilizing testing as part of the security progress enables clients to reduce the likelihood of regression, allowing them to remain forward-focused and ship meaningful features.

John Poulin

I’m consistently impressed with projects that make significant use of integration testing. While this doesn’t exactly scream “pushing the envelope, ” it does speak volumes to the maturity of the engineering processes. Utilizing testing as part of the security progress enables clients to reduce the likelihood of regression, allowing them to remain forward-focused and ship meaningful features.

Generally speaking, many of the clients we work with year-over-year have really begun pushing the envelope. One client in particular has implemented a centralized audit logging framework, ensuring that every request that flows through the system has an associated audit log entry. They have implemented static typing inside a dynamically typed language to provide extra assurance that the data is not susceptible to type confusion. In addition to that, they rely on additional input validation to ensure that data matches expected patterns. Overall, this client in particular embodies the defense-in-depth approach.

In working with this client, and several others, it taught me to focus on helping clients understand prioritization. Given what I know, how would I recommend clients prioritize remediation? Hint: It’s not always by risk - there’s a lot of other variables that go into it.

Question 5 đź’­

Transitioning into your role as CTO, you've seen both sides of app security. How has your hands-on experience in security engineering influenced your leadership style and priorities at Cloud Security Partners?

Answer 5 🎯

Leading with empathy is a lesson I share during every talk and training that I give. Vulnerabilities are going to happen, as are availability incidents. When these things happen it’s important to focus on establishing blameless processes to address the issue at hand. More often than not the team or employee who introduced the issue will be involved in the remediation or the solution. Embrace them for their ability to step in and rectify the issue in a timely manner. This process will establish trust between management and the employees and build a really positive culture. It’s never appropriate to blame an individual for a security issue, but it is appropriate to blame processes and to seek to improve those.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

Join Us at New York Tech Week for a Roundtable Discussion on Harnessing AI for Growth-Stage Organizations

New York City’s Tech Week is HERE and we’ll be hosting an exclusive roundtable on how growth-stage organizations can harness AI to enhance their security posture.

We're bringing together top cybersecurity experts for an evening of open discussions and actionable insights. Here’s all that you need to know 👇

đź“… Date: June 4th

🕡 Time: 6:30 PM

đź“Ť Location: Secret (revealed upon registration)

Spots are filling up fast, secure your spot now & discover how AI can level up your cloud security strategy.

Gomboc’s Honored in Notable Capital’s Rising in Cyber List 🚀

We’re excited to announce that we’ve been named one of the 30 most promising cybersecurity companies in Notable Capital's Rising in Cyber 2024! Being selected from nearly 200 nominees by over 100 CISOs and security leaders is a tremendous honor, and we are deeply grateful for this recognition.

Proud to be listed with many amazing cybersecurity companies!

For more details, visit Rising in Cyber 2024.

Latest AWS and Azure Updates You Don’t Want to Miss

Top Articles and Resources of the Week

Articles

Resources

  1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍

  2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍

  3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

  4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

  5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.