Blog
Cloud Control

Cloud Control: Q&A with John Poulin on Elevating Application Security in the Age of AI

June 4, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

John Poulin on Elevating Application Security in the Age of AI

Hi everyone 🚀

This week we’re diving into a topic that’s reshaping the landscape of application security: the integration of artificial intelligence. I’m thrilled to bring you an exclusive interview with John Poulin, the CTO of Cloud Security Partners, who has been at the forefront of using AI to enhance security protocols.

John brings a wealth of knowledge and experience to the table, particularly in how AI can be leveraged to not only detect but also predict security vulnerabilities before they become threats. His approach to application security, especially in the realm of software development, provides invaluable insights for anyone looking to strengthen their security posture.

In our discussion, John shares his journey through the evolution of security practices, from the early days of combating SQL injections to today’s sophisticated AI-driven defenses. His passion for educating and implementing secure coding practices shines through as he details how Cloud Security Partners is making major advancements in the field.

Stay tuned, learn a lot, and as always, let’s keep pushing the boundaries of what’s possible in cybersecurity together.

Cheers,

Ian

P.S.. We're hosting a roundtable on June 4th as part of New York Tech Week. Myself and other cyber & cloud security founders will be discussing how growth-stage companies can harness AI to scale their organization securely. Expect an exciting roundtable, the opportunity to meet others in the space, and of course - drinks. Register here to save your spot.

Question 1 💭

John, welcome to Cloud Control. To get started, could you share why you decided to specialize in application security within software development? What about that space is most exciting to you now?

Answer 1 🎯

I started developing an interest in application security at a very young age. Since high school I knew that I wanted to focus on application security, I just didn’t know it had a proper name at that time. Shifting back nearly 20 years, SQL Injection was everywhere, and there was constant risk of an organization's data being exposed. This was extremely interesting to me as a student, and helped really shape my interest in “learning how to hack.” Helping organizations detect and mitigate vulnerabilities in products well before bug bounties existed - It really felt like the wild west.

These days things have changed. SQL Injection is far less common. AI and ML, however, still feel like the wild west. I like to spend my time working with clients on secure design patterns, to help identify issues early into the process. In fact, I really enjoy teaching Defense-in-Depth engineering training and workshops  where we talk through many of these principles. Many of the ideas we talk about are extremely obvious, but something you just need to hear someone say before it clicks.

 

Regardless of organization size, focusing on establishing secure coding requirements and processes early on will enable the development of a strong application security program.

Question 2 💭

You have experience in both large corporations and nimble startups. What are some of the unique application security challenges each type of organization faces? What’s different versus the same in your approach to each?

Answer 2 🎯

A lot of the challenges differ between organizations based on engineering velocity and technology investment. For instance, an organization that paves engineering paths that permit a very limited set of languages/frameworks/tools will be more reasonable to secure than an organization that has a significant amount of sprawl. 

Regardless of organization size, focusing on establishing secure coding requirements and processes early on will enable the development of a strong application security program. Incidents and investigations will happen, prepare for them and be sure to utilize them as a learning opportunity.

 

Question 3 💭

Secure code reviews and threat modeling are right up your alley.Tell us about common pitfalls that teams often find themselves in. What are your pro tips for avoiding them?

Answer 3 🎯

Too often teams get hung up trying to perfect Threat Modeling and design reviews, and thus end up never executing them at all. Methodologies can be super helpful, and they’re going to evolve, but you don’t need one to get started. 

At the end of the day, especially with smaller organizations that may not have ever participated in a threat modeling session, just dive in and have a discussion. Focus on understanding what the system is trying to accomplish, and then start to think about what problems there could be. From there, understand what techniques you could take to solve the problem. You don’t need to be too focused on the output yet. I’ve seen threat models conducted on whiteboards and captured with photographs. Anything works, especially initially. Take a few days to think about the discussion, and come back to it. If you’re threat modeling in 1-hour, and never circling back to iterate, it’s going to be incomplete.

Same with code. When introduced to a new language/framework don’t feel shy - just dig into the code and start to understand the structure of the code. Where are configuration settings declared? How does the application route requests? These two questions will really help you understand how to decipher new frameworks. Once you start to identify patterns, utilize tools to help surface those. One of my favorite tools to use during code review is simply just grep.

 

Question 4 💭

In your time leading tech at Cloud Security Partners, you’ve seen a lot of projects from start to finish. Could you share a story about a project that really pushed the envelope in application security and what it taught you?

Answer 4 🎯

Utilizing testing as part of the security progress enables clients to reduce the likelihood of regression, allowing them to remain forward-focused and ship meaningful features.

I’m consistently impressed with projects that make significant use of integration testing. While this doesn’t exactly scream “pushing the envelope, ” it does speak volumes to the maturity of the engineering processes. Utilizing testing as part of the security progress enables clients to reduce the likelihood of regression, allowing them to remain forward-focused and ship meaningful features.

Generally speaking, many of the clients we work with year-over-year have really begun pushing the envelope. One client in particular has implemented a centralized audit logging framework, ensuring that every request that flows through the system has an associated audit log entry. They have implemented static typing inside a dynamically typed language to provide extra assurance that the data is not susceptible to type confusion. In addition to that, they rely on additional input validation to ensure that data matches expected patterns. Overall, this client in particular embodies the defense-in-depth approach.

In working with this client, and several others, it taught me to focus on helping clients understand prioritization. Given what I know, how would I recommend clients prioritize remediation? Hint: It’s not always by risk - there’s a lot of other variables that go into it.

 

Question 5 💭

Transitioning into your role as CTO, you've seen both sides of app security. How has your hands-on experience in security engineering influenced your leadership style and priorities at Cloud Security Partners?

Answer 5 🎯

Leading with empathy is a lesson I share during every talk and training that I give. Vulnerabilities are going to happen, as are availability incidents. When these things happen it’s important to focus on establishing blameless processes to address the issue at hand. More often than not the team or employee who introduced the issue will be involved in the remediation or the solution. Embrace them for their ability to step in and rectify the issue in a timely manner. This process will establish trust between management and the employees and build a really positive culture. It’s never appropriate to blame an individual for a security issue, but it is appropriate to blame processes and to seek to improve those.

 

Question 6 💭

You’ve presented at top industry events such as DEF CON and DevSecCon, often speaking about practical app security. Reflecting on these experiences, what emerging trend or concept in app security do you find most practitioners are still overlooking? What should we be doing to get ahead of it?

Answer 6 🎯

The biggest trend I see is folks are failing to design systemic controls. Take Audit Logging, for example. 

Audit Logging is intended to log activities related to users/organizations and manifest them in a user-exposed way. This process aids in allowing users to perform their own support, their own incident response, by answering questions such as “What did a threat actor do with my account while they had access?”

Building this system early on, and designing for it makes rollout easy and consistent. Consistency is key in Audit Logging systems, as it allows data to be processed in a clear and concise manner.

Utilize middleware to ensure that every state-changing request has at least one audit log entry - this will ensure that there are no unexpected gaps in coverage. There’s nothing more frustrating than to be told “we don’t log that” during an incident response investigation.

 

Question 7 💭

Cloud technologies are constantly evolving. What emerging security risks do you believe organizations should be paying closer attention to?

With the rise of AI/ML technologies, attacks such as Deepfakes are drastically increasing the complexity of detecting phishing attacks. Training and awareness are becoming more and more important, as the techniques for detecting these types of attacks have changed the landscape of traditional cyber security awareness.

Answer 7 🎯

Everyone expects the answer here to be AI/ML, and in some sense it is, but with a slightly different take.

With the rise of AI/ML technologies, attacks such as Deepfakes are drastically increasing the complexity of detecting phishing attacks. Training and awareness are becoming more and more important, as the techniques for detecting these types of attacks have changed the landscape of traditional cyber security awareness.

I believe that organizations will become more susceptible to phishing attacks, and while education and awareness is important, it won’t prevent all of them. Now is a good time for an organization to review their incident response plans to understand how to handle phishing compromises. Additionally, it’s a good time for organizations to focus on the principle of least privilege to help enforce a tight blast radius, in the event of a compromise.

I’m not going to touch on it much, now, but I also believe that the software supply chain is the largest risk to organizations. There are many lessons to learn here, and they can’t all be solved by relying on SBOM’s.

 

Question 8 💭

You talk a lot about secure code education and awareness. How do you see the landscape of developer education changing, particularly with the integration of AI and machine learning in development processes?

Answer 8 🎯

In the education and awareness space there is a ton of potential for machine learning to better support developers. ML really enables the distillation of large amounts of information, which is something that is critical to any education process.

In organizations that have a mature security requirements program, ML applications can be designed to consume the requirements list, documentation, and common references for the technologies in use. This enables users to ask questions and get clarifications around security requirements easily, reducing the friction between developers and documentation.

With enough training, it is likely that ML models will eventually be able to detect violations of an organization’s security requirements.

 

Question 9 💭

The cybersecurity landscape is constantly changing. In your view, what will be the biggest challenges and opportunities for application security in the near future, and how should the industry adapt to meet them?

Answer 9 🎯

AI/ML, which is probably the most expected answer. Machine Learning has existed for decades. It’s only really within the last few years that it became such a prevalent conversation piece. Everyone is looking to leverage AI/ML across their teams, and their products. Roughly 80% of the conversations that I have at conferences, online, and even amongst less technical folks involve Machine Learning in some capacity. 

With the substantial uptick in integration of ML comes a significantly unique attack surface. How do we interact with these models in ways that cannot be tampered with, misinterpreted, and represent real and factual data? Prompt injection, for instance, is a “new” attack surface, but in some ways draws parallels to the early days of SQL Injection.

With the substantial uptick in integration of ML comes a significantly unique attack surface. How do we interact with these models in ways that cannot be tampered with, misinterpreted, and represent real and factual data? Prompt injection, for instance, is a “new” attack surface, but in some ways draws parallels to the early days of SQL Injection. Can we expect to see Parameterization of model queries, which separates the data from the queries, mitigating the concern all together?

Never forget Tay.

 

Question 10 💭

As we wrap up, can you share any groundbreaking concepts or projects you're looking forward to exploring in application security? What's next on the horizon for Cloud Security Partners that could redefine how we approach app sec?

Answer 10 🎯

At Cloud Security Partners we spend a lot of time working with clients early in their SDLC to help them focus on security by design. A large part of our interest lately has been around defense-in-depth engineering, which focuses on the concept of implementing security controls across multiple layers of the product. We enjoy identifying systemic ways to solve issues, but also understanding that additional controls can offer a significant level of comfort. We’re excited to expand our training offerings, and continue teaching Defense-in-Depth engineering across new venues and new audiences.

Additionally, over the next quarter we are investing heavily across our cloud security offerings. We are focused on improving open source tooling to better analyze IAM policies and roles, to help improve the ease of implementing the ‘principle of least privilege.’

Latest AWS and Azure Updates You Don’t Want to Miss

  1. AWS Systems Manager Parameter Store now supports cross-account sharing
  2. Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes
  3. AWS free tier now includes 750 hours of free public IPv4 addresses, as charges for public IPv4 begin
  4. Azure Red Hat OpenShift April 2024 updates
  5. General availability: Extensible key management using Azure Key Vault for SQL Server on Linux

Top Articles and Resources of the Week

Articles

  1. Seven Cybersecurity Tips To Strengthen Your Startup’s Security Posture
  2. Zscaler CEO Talks Guidance, Breach Rumors, Cybersecurity
  3. Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers
  4. New AlgoSec Double-Layered Cloud Security Solution Minimizes Critical Cyber Security Blind Spots in Cloud Environments
  5. Cloud Security Alliance Survey Finds 70% of Organizations Have Established Dedicated SaaS Security Teams

Resources

  1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍
  2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍
  3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
  4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
  5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.

‍

‍

‍

Subscribe to Cloud Control, our weekly newsletter interviewing security and cloud leaders.

Related Posts

August 9, 2024

AWS CloudFormation vs. Terraform: A Rap Battle

AWS and Terraform had a rap battle last week and we got the footage.
Read full Post
July 31, 2024

Why and How AI Will Replace DevSecOps

Explore how AI is transforming DevSecOps, automating tasks for enhanced security and efficiency.
Read full Post
August 4, 2023

Navigating AI in Cloud Security: Generative vs Deterministic Models for IaC Vulnerability Remediation

We asked ChatGPT to write us a blog post about the differences between deterministic and generative AI. Then we asked it to recommend us which model to use for IaC remediations. The results are not shocking.
Read full Post
View all