Throughout my career as an AppSec professional, I have been fortunate to meet and network with some of the industry's most incredible talent, each making their mark in helping to secure and strengthen the world's ever-increasing webs of code. At this stage in my journey (with a little more knowledge and a lot less hair!), I am often asked to speak to the future stars of software security, and it's a gig I love. However, I also understand just how important it is to be visible as a leader and mentor to those who are looking to stand tall and grow into their roles.

Recently, I was in London with some of the Secure Code Warrior team, and we hosted a brunch event with the aim of getting a handful of AppSec superstars together for networking, insights and a pastry or two. In front of more than sixty invitees, they imparted their wealth of expertise as part of an expert panel, getting everyone excited about the future of application security.

Addressing hot-button issues like how to make the most of an organization's AppSec budget, as well as several curly questions from the audience, the panel delivered some real morning magic that will undoubtedly help security managers, specialists and their developers build out viable programs within their organizations.

We were privileged to host the following leaders for the panel, Tools Vs. People: Is Your AppSec Budget Adequately Addressing Both?

• Vincent Gilbert, CISO, Societe Generale
• C̩dric Levy-B̩ncheton, CEO, Cetome
• Reena Shah, Head of Security & Privacy Culture and Awareness, M&G Prudential
• Lee Thurlow, Global AppSec Director, Pearson
• Lewis Bramfitt, Managing Director, Bramfitt Lab.

Each speaker shared their thoughts on the AppSec tools landscape (spoilers: with many organizations generating so much software, it can be a minefield selecting tools that perform every function you require. After all, no singular tool can cover it all).

Reena Shah also made an interesting point. In just a few short years, we have seen a positive shift in the perception of AppSec within large organizations, allowing for a critical element to start taking shape - the investment in people to uphold security best practice and culture:

"I think it is changing. When I started this four years ago, trying to get a budget and team when it comes to security culture and awareness was really difficult. And what I am finding now, is that it is not my challenge anymore. It's very easy for me to say, "this is the budget I need, these are the people I need, to reduce risks. I'm seeing a massive shift, and I think that's because the board - and the C-Suite - are understanding how important it is to provide funding to assist us in reducing security incidents." She said.

You can watch the full panel right now:

For me, it is incredibly refreshing to see the future of AppSec incorporating an emphasis on the right training and knowledge for the developers on the front lines, allowing them to form solid defense against age-old vulnerabilities that still rear their ugly head.

Tools provide one level of support, but really - it's time we faced facts. We simply need to stop repeating the same mistakes.

Closing the AppSec Error Loop

As part of the Leaders in AppSec brunch, I also delivered a presentation on how we can address the costly, ongoing issue of the same security vulnerabilities appearing over and over again. Tools might find them, but they're not doing much to prevent them. Developers need to be given the right training to stop their introduction in the first place.

And, well, us developers are a funny bunch. Some training is much more effective than others when it comes to engagement and retention. You can watch my presentation in full here:

An emphasis on security training, as well as general awareness and a positive culture between developers and AppSec is like kryptonite to an attacker. Those little back-door openings shut, those easy ways to our data dry up, and security superheroes are working together to make security synonymous with software quality.

Slowly, but surely, we're getting there.