ProdSec Decoded - Episode 1

Pratik Roychowdhury: Hey everyone. Welcome to the first episode of Prosec Decoded, a podcast where we deep dive into the fascinating intersection of product security and artificial intelligence. I’m your host Pratik Roychowdhury, and I’m joined today by my co-host Chiradeep Vittal, who is the CTO at AppAxon. On Prosec Decoded, we will be having candid conversations with the brightest minds who are navigating the complex landscape of securing products in a world increasingly powered by AI.

Today we had a great discussion with a true leader in the security space. Samir s Samir brings in a wealth of experience as a ced CSO having previously served as CSO at Whole Foods Market during his time at Amazon and as VP and CSO at Forcepoint. Uh, he has had also other CISO gigs before. Samir has had impressive background and also includes being co-founder and COO at Balcon ID and Identity Security company.

He’s an active strategic advisor and investor in the security space. Samir also hosts his own podcast, the Identity Jedi Podcast, focusing on pressing issues in the identity space. In today’s episode, EP and I spoke to Samir about his journey through the evolving security landscape. We got his insights on what is product security, what are the challenges of product security?

How do they differ from application security? How to use agentic approaches and AI to towards product security and discuss some of the practical strategies and implementations for organization, uh, budgeting, and so on and so forth. Take a listen.

Hey Samit, welcome to the show.

Sameer: Hey guys, how are you?

Pratik Roychowdhury: Good. So, uh.

Sameer: uh, I haven’t been, I haven’t been on D script in a while, so I’m just, I’m, I’m excited to test out this new, uh, service that you have. Let’s, yeah, let’s do it.

Pratik Roychowdhury: Yeah, this is, this is, uh, this is the new ai, uh, tool. So we thought we’ll give it a try. So I, I know RSA is right around the corner, so, uh, I, I am assuming you’re gonna be there as well, right.

Sameer: Yeah, yeah, I’m, I’m there this time, and this is my first time in maybe about four years since I’ve not been a co-founder. I’m actually back in the practitioner seat as a CSO Vcso and, um, and I’m invited to all the parties, unlike last year when nobody wanted to talk to me. So it feels good.

Pratik Roychowdhury: Awesome. Hoping to see you there. Uh, there’ll be, there’ll be a lot of people I’ve been talking to who are also gonna be there, so it’ll be great to, you know, go and go to some of the parties there.

Sameer: Yep, exactly.

Pratik Roychowdhury: All right, so, um, EP, should we get started then?

Chiradeep: Yeah. Yeah, I’m looking forward to RSA too. Uh, it’s been a very long time for me as well, though it’s right in my backyard. Uh, do like the parties, so looking forward to it.

Pratik Roychowdhury: All right, perfect. So, Samir, uh, I think, uh, today we wanted to talk to you a little bit about product security, uh, product second in short. And so I know you have had a very interesting, uh, career journey. You were practitioner, uh, uh, CISO multiple times, and then you’ve been, you’ve been an entrepreneur, you’ve been advising companies, you’ve been investing in companies.

So maybe. You know, we start off with your personal journey a little bit, uh, a little bit about what are the learnings along the way. Maybe we can just start off there.

Sameer: Yeah, so I, you know, uh, unlike a lot of my, my peers in the security community, I didn’t, I didn’t. Grow up in a, in a more technical discipline of, uh,

or testing or, deploying software or, or hacking into services, et cetera. A lot of my very smart peers grew up in that, in that, in those arenas, I. I kind of came into security through the and compliance side when SOX 4 0 4 was a, was a hot topic back in early two thousands. that was, you know, it, it brings a different perspective as you would imagine. Um, more, uh, more rigor and more, more compliancy as, as I, as I mentioned earlier. But, um, but I think it also gave me that perspective of. Put everything in the terms of risks, system risk, um, company risk, et cetera. So I’m very well grounded in those principles. So, um, and it didn’t, it kind of helped a little bit more that I came from financial services, so there’s obviously a lot of. Regulatory oversight, not just, uh, compliance for the sake of winning deals or, or closing, closing deals. So, uh, that’s kind of where I started.

But, um, you know, slowly by, slowly took over teams like SecOps and then, deployed. Um, um. it Veracode? I think it’s Veracode back early on when it was an early product. So I did some AppSec there, ran a team. I learned a lot from my teams and the consulting companies that we brought in to, uh, um, to these different areas. But yeah, I co-founded a startup in the identity security space about four years ago. I. Um, and I recently left, uh, to get back into the CSO world, right? The startup is still doing fine, but, um, felt like it was good for me to get back into my, into my, you know, area of core expertise. And so hence, I’m back in the, in the, in the CSO seat.

Pratik Roychowdhury: That’s actually fascinating. I mean, I’ve worked in larger companies and smaller companies and I think, uh, we can clearly see the start difference between the two environments. So you have navigated the corporate CISO world and then the startup ecosystem. So they are very different environments, right.

Sameer: Yeah. Yeah, exactly. Very different. And um, gives you a lot of empathy, right? Pr I mean, you’ve also been in startups and very, very large companies. You’ve helped scale companies, you’ve probably done a little bit more than me, I think, because you’ve, you’ve done the, not just the zero to one, but the one to a hundred. then you’ve been at the companies that have been a hundred, a hundred, a hundred to a thousand, right? Or a thousand plus. Right. I haven’t, I haven’t really done the one to a hundred, but I have the empathy now of how hard sales is, how hard marketing from a creative side is how hard developing product is.

Right? Like as a ciso, we are so used to seeing large companies, or even if we have a design partner, they move quickly to make us happy. Right. when you’re actually doing zero to one to get the customer happy, the heavy lifting that happens behind the scenes is like. like, it’s not, it’s not, um, it’s not a cakewalk, let’s just put it that way.

Right? It doesn’t magically happen.

Pratik Roychowdhury: Right. And yeah, and Chi Deep also had had, um, experiences working in smaller companies, larger companies. He’s obviously very hands-on, uh, building products as well as leading teams. So, so maybe, maybe let’s just deep, uh, do a deep dive into Product Sec now, but before we get started, maybe it’s a good idea to.

Uh, talk about a little bit about definitions. I’ve seen a lot of people talk about product security versus application security. They conflate the two sometimes, uh, sometimes they think about, uh, you know, these two as two different, uh, entities. So maybe we start off with how do you define product security and what do you see are the differences between product security and traditional application security and, and so on.

Sameer: Uh, I can go first and then maybe EP can give his opinions. Right. I think,

For me, I feel like we’ve actually a lot of us in, especially the Bay Area folks, and I’m in Austin, Texas, unlike you guys in the Bay, but feel like a lot of us have been doing product security, but we haven’t really called it that.

I. give us some credit to say that

Pratik Roychowdhury: Hmm.

Sameer: thinking bigger, but for me, AppSec was very much a, you know, a SaaS scan of a web app, um, when apps were a little bit less complicated, if you will. You know, and maybe I’m dating myself, um, you know, um, some level of focusing on that application, functionality in a black box kind of environment, right? Um. I think that’s what I’ve traditionally looked at. right? Um, um, scanning code, pen testing, maybe even, highlighting the patches from. Microsoft app that we’ve deployed in our environment, to some extent, that’s not our app, but it’s a SaaS app, if you will. Right. think Prosec is kind of looking at the lifecycle, right?

It’s one is a lifecycle. second is the, the word product itself is now morphed into more than just a. Software alone. It’s now the platform the software runs on, which could be as a service, could be platform, it could be an integrated solution working through an API that does automated reporting based on the app.

But somebody built that little module. Maybe they used a third party open source module to plug in. It could be hardware, right? Like I sometimes I don’t even realize that. Um. Um, you know, you could control devices using software, so that’s part of your ecosystem. Like for me, Tesla, the car is a product that I use and all the components that are driven by the software have to also be understood to really understand product security end to end.

Right. kind of how I think about it. But I’d love to hear Chi’s opinion ‘cause given he’s much deeper than I’m in this space.

Chiradeep: Well, I’ll bring a, uh, developer’s perspective, so for. AppSec was, uh, mostly a burden, I would say, you know, uh, security teams pushing vulnerabilities and, uh, s BM and all those kind of container problems. And a, you know, at the end of the week it’s literally dozens and dozens of, uh, fixes that you have to do. Well, of course, you have to also deliver your product features, right? So. To a developer, a product is the features and not the security part. And uh, I can tell you that most product managers have no idea what security are either, even though their name has product manager in them. So, so just like, uh, and so developers are I. I think they’re a little tired of it, of AppSec, and they want a better solution than just, you know, send me all the, uh, bugs that you find that your tools find and then fix them. Uh, and to be honest, in app developers also don’t know the whole security landscape. They don’t know how they can be hacked.

They don’t know how to defend themselves. They know some, some best practices, but, uh. It’s, it’s solely lacking. And from the security side, I think they’re, uh, they barely know what the product does. Uh, all

Sameer: Yes.

Chiradeep: look at the tools all day and, uh, and, but, but that’s their job, right? I mean, that’s their, uh, that’s what they’ve been told to do, you know, reduce their risk.

And the number one way to measure that is to reduce the number of critical bugs. So a tough, uh, tough landscape for both application developers and product security teams. Um, and I think that product security is, has to be some way that both teams uplevel themselves. Well, application developers know what security is and have the tools and means to fix it easily. And on the, on the security side, you know, uh, being able to give more context to their what, whatever the tools are saying to understand the. Kind of pain the develop is going through. So to me that’s more of a holistic, you know, what is product security.

Pratik Roychowdhury: And, and charity, if you have also worked in both, developer side as well as, the security side. So, make sense from your perspective? Both of you have been talking about something which, uh, which, which is very important where. Applications are getting more and more complex.

There’s, there’s microservices. There is now third party and LLMs and SaaS, SaaS services that are being used. Lots of different components. So I think, uh, to your, to both of your points, product security becomes more and more important. Right. So, uh, maybe, maybe, uh, we can switch gears a little bit into the AI and agent approach.

So, I’m not, you have been, uh, you know, doing a lot of work on the AI and agent side. Maybe, you want to kick it off.

Chiradeep: Yeah, so I think, uh, last year we decided to see how generative AI can help, uh, the security teams as well as the application developers up their security practice, if you will. And, uh, and it’s been, uh, terrific, right? You could see the, uh. Improvement of these LMS has been, uh, leaps and bounds and what you thought was not possible three months ago is suddenly possible.

And you know, fact, the code that you wrote, uh, you know, three, four months ago to carefully orchestrate the LLM is you can just throw it away because LLM does it all. it’s been, uh, it’s a little bit frightening, but also exhilarating, uh. Right. And I think the, uh, 2025 is supposed to be the year of agents where, you know. Agents not only do like one shot things, but autonomously do like multi-step, uh, things like, uh, okay, go book me a vacation, which includes, you know, the air ticket and the, uh, the bed and breakfast and the lunch and the dinner and uh, and the spa and everything else. And it’s just one shot and you just, know, it do its, uh, its job, uh, so that that agent future is coming and, uh, I see no reason why that shouldn’t come into security well.

Pratik Roychowdhury: Yeah, I think, and, and I think, uh, uh, samit, you, you also talked quite a bit about how AI is helping, uh, security and maybe product security in general. So maybe it’ll be good. To hear your thoughts. I heard this term of called Agentic battlefield of security, where, you know the product is getting more and more, uh, used in terms of agents.

Agents are talking to agents. There are so many protocols, MCPA two A, so many protocols that are coming up. And then hackers are, you know, bad actors have been using agents for quite a while. So how do we think about security in terms of agent and agent approach? Maybe, maybe would love to hear your thoughts on that.

Sameer: Um, when you say thinking about security from an agent approach, you mean securing the agents or the agents being used to be more productive in securing the apps? In question. Both

Pratik Roychowdhury: Actually both. Both angles? Yeah. Both angles. Yeah. That’ll be good.

Sameer: You know, so I’ve seen a lot of startups. I still get pitched quite a bit for startups through my, through my VC contacts on the, um, um, you know, securing agents, right?

Securing the new applications. I. Um, uh, securing agents from a more of a, it seems to be a lot of, um, a lot of focus on, uh, the data input validation and the output validation more, right? Like safety of AI use, with, uh, inadvertent sharing of corporate secrets with an agent. Right? That seems to be the hot topic with a lot of the startups that I talk to. It’s a crowded space for sure. And I can see why people are worried because, you know, customers, um, have a marketing person that wants to start using agents for, uh, creating marketing collateral, et cetera. Right. I, I don’t know. I don’t know yet. And I’m not a sossay in this space, but I don’t know if the future is. Um, you know, the chat GPTs, is the world getting inherently building these guardrails, maybe buying a company or two, right? there’s another unicorn in the making in this space. I don’t know the unicorn making in this space, but again, I don’t wanna say anything because one of the co-founders of Chat, GT OpenAI, I heard has started a company, or he has started, Ilia

Pratik Roychowdhury: Yeah.

Sameer: a company for safety of ai, right? So he might be onto something. I mean, these are brilliant people out there, but I think what is interesting as a consumer. Um, is that, but also, look, we all have budget pressures, right? Look, I’m back in the CISO world, I can tell you, uh, and my boss is great. He’s like, you know, hey, go out and do what’s right for the company. Buy ransomware, tooling, buy pen testing, tooling, attack, surface, all this stuff, right? But inherently we do realize as CISOs and CIOs that we wanna do what’s right for the company. Right. If you manage your costs smartly, right, you can use that money for, uh, other purposes, whether it’s upskilling your team or you know, you have a, you have a certain amount of money that’s not tied to revenue generation.

So you gotta be smart. So what I think is really interesting in this space is I. Uh, one is obviously you guys have heard AI for SecOps. I mean, there’s probably 25 companies I know, right? I’ve advised a few. I’ve helped a few. That’s a, that’s a very, uh, very, like, it’s like the obvious, like, okay, let’s go after SecOps because, the world is talking about the lack of, uh, skilled level one, level two, level three people.

We’re gonna go and throw money at this problem, right? And, um, or not, may, may or may not, uh, pan out, right? Because people are using different angles. Um, the other one is, which is preemptive or proactive or, you know, kind of, ‘cause you know, you have to remember, like, SecOps is very detective and reactive.

Right. In the most, mostly as much as a SecOps person can turn to you and tell you, Hey, no, you know, we’re getting near real time. Right? It’s, it’s actually very reactive, right? Let’s just be honest. But on the offensive side and the preemptive side, right? The idea of being able to. Use agentic capabilities, and I’m not, I’m not gonna name it as one capability alone, um, to preempt part of your builder cycle.

The build, build environment or build builder cycle, uh, build life cycle, if you will. Um, I think has a lot of promise because as Chiradeep mentioned, I. There’s not just friction, but there’s a lack of understanding and context for developers of what AppSec people need or are looking at or looking to do. on the flip side, the AppSec people don’t really fully understand the context of the product that’s being built. as you guys know, much better than I do, right? Product starts off with a, we’re gonna build this. And as they get customer feedback, that product evolves. There’s like, I need these features, I need that, I might need to replatform this. what that one document that the the security guy got way in advance very different from what, um, I. What they need to be really looking for in terms of risk in the product, right? I think there’s a lot of promise there, and I haven’t heard enough companies in that space. Honestly, PR and and ep, I haven’t learned, not too many.

There’s a little bit of noise, but I, and I can talk a little bit more about that noise in the future.

Pratik Roychowdhury: Sure. And, and I know puke you obviously spoke about how LLMs are becoming very strong as far as reasoning is concerned. So the whole aspect, and so, so Samid was talking about the proactive side of our preemptive side of security. And so, so o obviously, uh, it looks like, you know, we can use the reasoning power of LLMs and all these frontier models to come up with.

More offensive or proactive security.

Chiradeep: Yeah as I’ve worked with SI think one insight that I got was that, uh, they’ve seen a lot of code and they’ve been trained with reinforcement learning and a lot of code. And so, and that’s, in retrospect, it’s obvious why? Because I. Replacing software developers, which is the number one expense of a company these days, is a probably what, hundreds of billions if not trillion dollar market, right?

So you can unleash agents for $50 a month to replace a software engineer, great, right? And so the, the pace of improvement, especially in software, has been, uh, to see. And I myself use. These tools every day. So, uh, the, the knock on effect of that is that, uh, we can build cybersecurity tools, for app applications, which are very capable because they understand code and they’re very good with, uh, the. The environmental code, which is CICD, uh, command line, uh, writing python code to do, uh, various tests. Um, and so the, the future obviously is that, uh, as more code is written by uh, more of the testing, more of the, uh, defense and more of the offensive security will become agentic as well.

Pratik Roychowdhury: Perfect. So, so maybe, maybe let’s just move on to more of the practical implementation of, uh, product security and budgeting. Maybe. So maybe the first question around that, uh, uh, Samir, if you can, if you can talk to us a little bit about budgeting and if you look at the way Gartner characterizes all these things.

And they do a pretty good job of classifying the, the market based on their interactions with a lot of companies. They have application security testing, vf, vulnerability management, technical testing, which includes all the pen testing areas, compliance. These are actually, you know, multi-billion dollar budget.

Each of them are multi-billion dollar. You know, markets by themselves. But, uh, one of the things that always comes up is when you look at product security, is it just a subset of application security, which means from budget perspective, a subset of application security budget will be allocated to it. Or is it a new line item or a new budget is getting created?

Or is it taking budgets from different areas and then creating a new budget? Would love to hear how you wearing your CSO hat would think about it.

Sameer: Yeah, no, it’s a great question. I think, um, and look, I wanna preface this with that. What I’m gonna say is not applicable to every, um, or every situation or even. You know, the, the industry, right? Could be very different for industry specific. But what I’ve noticed is, um, for example, right, I remember this phenomenon around data security, right? Data security in. Some companies came up privacy angle, data privacy because of GDPR. It became a line item, um, on the budget separate from all these infrastructure security or, or AppSec or any of these things, right? It became almost like a separate line item. And, um, it was small initially, then it grew, and then it kind of got absorbed under, I’ll give an example.

Uh, for me it got absorbed under cloud, cloud security, uh, because we were a very cloud native company, but. I can see it being a standalone, entity, uh, under or budget item under a CISO where, um, it would work closely with legal, potentially, right. Or the compliance teams. Um, with, with a leader, with an actual data security VP level, you know, senior level person. Um. On the flip side, you know, with something like product security, what I’m seeing and hearing, um, especially after meeting you guys, I started to say, well, what is this product security thing like, where does it report into? I started seeing was it was kind of, um, was almost like an opportunity for CISOs elevate their AppSec leaders or their cloud SEC leaders into another level and have a few things reporting to them. Right. So for example, I was talking to a friend of mine and he was like, yeah, my prosec leader owns sec, um, AppSec, you know, um, I’m thinking of putting third party sec under them. I was like, third party, third party sec is, is TPRM, man. That’s compliance. Why would you do that? He’s like, yeah, you’re right. I’m having a hard time deciding, but it includes supply chain. So I, I need to, I need him to have someone who’s just focused on supply chain risk. ‘cause the third party risk guys don’t go deep enough. Because they’re governance, risk and compliance. So I need to make, and so he was asking me for advice and I said, everything you’re doing makes sense because a product, it could be, um, let’s call it, um, a non-technical product.

Okay? But at the end of the day, a Tesla, all products are becoming to some extent driven by software, having software components, uh, communicating via software. Uh, let’s even look at A BMW or a Jeep, right? Jeep Grand Cherokee, which may not have the sophistication of a Tesla. But it still has through, um, Sirius Radio.

It’s got connectivity through 5G hotspots, right? So when you think about product security, you have to actually include those other components that come under the supply chain with it, right?

Pratik Roychowdhury: Right.

Sameer: that’s what I’m seeing is that it’s becoming the bigger budget. So,

Pratik Roychowdhury: Hmm.

Sameer: can go to the board and say, or his boss, maybe not the board level, but Hey, AppSec is a $3 million budget. I need four because it includes. Much more than just your basic web app. Yeah. With the front

Pratik Roychowdhury: Right.

Sameer: and, you know, some, uh, some, uh, some interface. Right. So, so yeah. So I think that’s where I’m seeing it, headman pr.

Pratik Roychowdhury: I, I think that’s great because, um, uh, based on our discussions as well to, with a lot of CISOs, we have seen that, you know, prosec is a budget that is being created. Uh, which is larger than AppSec because AppSec is very much focused on the code, but product is much bigger. Yeah. Um, one other thing we want to talk about on the implementation side is, uh, the devs SEC friction or Dev Ssec collaboration and maybe at Agility you keep talking about, you know, you have.

You know, been in both the roles you have, you have been, uh, managing security in your previous company. You have obviously been, uh, uh, on the developer side. So maybe I’ll just hear your perspective on the devs SEC friction or devs sec collaboration when it comes to implementation of product security.

Chiradeep: Yeah, it’s, uh, it, it arises naturally from, you know, developers are in charge of delivering product product, and security is in charge of delivering security. And so, The goals are not, uh, aligned and harmonized. so when you ask developers, Hey, show up for this meeting with security to discuss this, you know, long list of 51 liberties, they’ll sometimes grudgingly come, but they’ll say, no, I got this issue to look at, or this some production issue to look at.

And so, uh, maybe next time, right, or, or even if you give them the list of. The actual fix, right? Some tools actually will give you the fix. So the pull request tools and oh yeah, release three months later or whatever, right? Because I got other things to worry about. uh, critical issues to think about.

And, you know, these are all revenue affecting. So that’s a very natural, uh, reason for the friction and, uh. I hope you know, some of this emerging AI solutions will help fix that. Uh, if you think about it, uh. As I said, I couldn’t get the two teams to be in the same room, even though I both teams reported to me. Um, so what if, you know, they, they could send their agents right, to talk about their problems and, you know, the agents collaborated, uh, somehow to come to maybe 80% of the solution. So I’m hoping for some kind of a, uh, breakthrough in that, uh, arena, but it’s, I think, still a little bit science fictiony.

Pratik Roychowdhury: Yeah, I think, I think agent to agent communication is, is gonna be critical in that, uh, area.

Chiradeep: Yeah.

Pratik Roychowdhury: So, so Samir may. Be, maybe one of the things just to, just to wrap up is, um, uh, if, if you were to look at organizations who already have, uh, some sort of an AppSec practice, how would you, you know, what are some of the steps that they should take to evolve into a more product security and a, a holistic kind of a security of product?

Any, any, anything that you would recommend them to, uh, look at.

Sameer: Hmm, that’s a good question. I. You know, I think there’s, you know, the traditional answer PR is gonna be gimme more headcount. Right? Right. Gimme more headcounts so I can get involved early on, um, convince, like if I was working for ep, I’d say, Hey, ep, you’re the CTO. Can you, can you convince one of the architects and enterprise architecture to come to the security side? They can learn and empathize with us. They can live with us, learn from us. Right? And we’ve all tried that, right? We’ve all said, Hey. You know, uh, get a developer come work in security. They will really learn a lot and or send a security guy to work in development and, and be part of, you know, maybe DevOps or whatever.

Right? Uh, look, you know, there’s only so much you can do because that’s not your full-time job. You’ll eventually go back to your day job and you, you’ll, know, your muscle memory will kick back in. You’ll go back into, this is my mandate, right? I think the, way that I’m seeing the world going, you know, talking to people like Shadi, is that I think agents will help us bridge that gap if we use it, right? If we’re able to ask the right questions, give the agents right. Context. It’s a combination of we don’t want human error, but we also want the agents to know enough to be able to be valuable. I think the other piece is, um, transparency, right? I think, and maybe it was probably good that share the ran both security and teams, but a lot of times there’s a, you know, it’s human nature again that we tend to live in our silos and. Say, well, you know, security’s asking, but you know, we’ve got a day job we can’t keep responding to their request for, for information. Um, and then security tries to mandate it by saying it’s compliance and we’ll, we, we’ll write a policy and standard around it. It becomes very messy. Right. I think transparency is very important culturally.

Right? I think these teams have to start respecting each other’s work, but also have to start sharing the artifacts early on and allowing the agents that I use and they use to engage with each other. So I think there’s an agent to agent play here that I haven’t fully figured out. Maybe you guys can come up with a dream, but how do we make this a reality where, um, you know, where, where the human emotion doesn’t come into the middle of solving, solving, uh, product security holistically.

Pratik Roychowdhury: All right, perfect. And so that’s a wrap. Uh, this has been a very enlightening conversation. Uh, Samir Jdi, thank you so much for sharing all your insights. Uh, very,

And, uh, thank you all for, thank you all, uh, all of our listeners for joining us on Prod Sec Decoded. Uh, if you found value in today’s conversation, please subscribe, leave a review and share with your colleagues.

Uh, we’ll be back soon again with another episode. Until next time, stay secure.